Sven Eidissen

Father, husband, security guy. I help people see beyond the security horizon.

1 minute read

compliance

TLDR: Learn how to test network monitoring and detection to improve your security beyond the very basics.

If you don’t want to spend time writing your own tests, just download our app instead. Register for a free trial of our testing software.

Testing detection and monitoring controls.

compliance
Test your snort

Controls
Many business networks run appliances with unused or underutilized IDS and SIEM controls:

  • Home: Open source or dedicated firewalls usually have an IDS and basic event monitoring
  • Enterprise IDSes and SIEMs firewalls can do deep packet inspection, SSL proxying, and other lot of other network monitoring.

Tests
We’ll be testing basic aspects of our controls by:

  • Sending command-and-control traffic to a server we control on the Internet.
  • Sending exploit kit traffic to a server we control on the Internet.

test all the security things
Test. The. Important. Things.

Example IDS/IPS + SIEM tests.

Sending command-and-control traffic:
Run command below:

printf "GET /kU2QLsNB6TzexJv5vGdunVXT.php HTTP/1.1\r\n\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\r\nHost: 107.23.248.210\r\nAccept: */*\r\n\r\n" | nc -v 107.23.248.210 80
# should create an IDS event alerting of a Microsoft Spyware called Strong Pity.
# you will get a flag back which you can see if you actually are able to detect with deep packet inspection.

Then see what hosts you’re able to connect to.

Sending exploit kit traffic
Run command below:

printf "GET /a.php?e=2884 HTTP/1.1\r\n\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\r\nHost: 107.23.248.210\r\nAccept: */*\r\n\r\n" | nc -v 107.23.248.210 80
# should create an IDS event alerting of a Teletubbies Adobe Flash exploit indication.
# you will get a flag back which you can see if you actually are able to detect with deep

Then see which ports are open outbound to the Internet.

Want a tool that does it all for you? These tests need to be done securely. If you’re unsure, or don’t have the time to compile your own tests, register to use our tool below.

Want more tests? Register below!

Available tests for intrusion detection, prevention, and monitoring controls:

  Intrusion Detection Intrusion Prevention Security Event Monitoring
malware :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
exploits :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
shellcode :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
c2c traffic :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
browser attacks :heavy_check_mark: :heavy_check_mark:  
web app attacks :heavy_check_mark: :heavy_check_mark:  

Updated:

You May Also Enjoy