Neohapsis OSEC - Test Criteria - NIDS v1 Test Summary

LOCATION: Neohapsis / OSEC / Test Criteria / NIDS v1 Test Summary

About OSEC

Test Criteria

Test Results

Resources

NIDS v1 Test Summary These tables outline the various tests that make up the OSEC NIDS product verification criteria, version 1.0. They do not, of course, test everything that one might conceivably want to test, but do go a long way to verifying the various, objective product functionalities that end-users care about, and about which vendors make claims. Version 1.0 criteria are testable today in a verifiable, repeatable manner. Indeed, a significant part of the development of the 1.0 criteria was the testing and verification of the testing methods themselves. We anticipate greatly expanding the range of tests in the version 2.0 criteria, as test suites continue to improve and expand.

OSEC NIDS v1.0 Criteria Overview

A - Device Integrity Checking
Test #	Test Name	background port / proto	addresses	pps	MTU size	concurrent sessions	connections per second	run-time	avg size of transaction	transactions per session
A1	Listening Service Inventory	- -	- -	- -	- -	- -	- -	- -	- -	- -
A2	Known-vulns check	- -	- -	- -	- -	- -	- -	- -	- -	- -
A3	SNMP v1 Protos Tests	- -	- -	- -	- -	- -	- -	- -	- -	- -
A4	Routable ISIC protocol mix TO	- -	random	1500	- -	- -	- -	- -	- -	- -
A5	Routable ISIC protocol mix THROUGH	- -	random	1500	- -	- -	- -	- -	- -	- -
A6	Unfiltered ISIC protocol mix To	- -	random	1500	- -	- -	- -	- -	- -	- -
A7	Unfiltered ISIC protocol mix Through	- -	random	1500	- -	- -	- -	- -	- -	- -
A8	TCP / ISN generation test	- -	- -	- -	- -	- -	- -	- -	- -	- -

B - Signature baseline
Test #	Test Name	background port / proto	addresses	pps	MTU size	concurrent sessions	connections per second	run-time	avg size of transaction	transactions per session
B1	Mainstream attack baseline	- -	- -	- -	- -	- -	- -	- -	- -	- -
B2	Modified attacks	- -	- -	- -	- -	- -	- -	- -	- -	- -

C - State Test
Test #	Test Name	background port / proto	addresses	pps	MTU size	concurrent sessions	connections per second	run-time	avg size of transaction	transactions per session
C1	State Confirmation Test	- -	- -	- -	- -	- -	- -	- -	- -	- -
C2	Tool dry-run	HTTP	var	var	var	var	var	12 min	var	var
C3	"Low session, small address block"	HTTP	200	6502	1500	25000	432	12 min	4KB	433
C4	"Low session, large address block"	HTTP	10000	6504	1500	25000	432	12 min	4KB	433
C5	"Medium session, small address block"	HTTP	200	13004	1500	50000	863	12 min	4KB	866
C6	"Medium session, large address block"	HTTP	10000	13003	1500	50000	863	12 min	4KB	866
C7	"Medium session, small address block"	HTTP	200	26004	1500	100000	1729	12 min	4KB	1732
C8	"Medium session, large address block"	HTTP	10000	26020	1500	100000	1729	12 min	4KB	1732
C9	"High session, small address block"	HTTP	200	50606	1500	200000	3365	12 min	4KB	3376
C10	"High session, large address block"	HTTP	10000	51170	1500	200000	3385	12 min	4KB	3397

D - Discard Test
Test #	Test Name	background port / proto	addresses	pps	MTU size	concurrent sessions	connections per second	run-time	avg size of transaction	transactions per session
D1	Tool dry-run	var	var	var	var	var	var	4 min	var	var
D2	Bogus port and injection (10 Mbps)	"src=1028,dst=231"	65025	2300	500	n/a	n/a	4 min	n/a	n/a
D3	Bogus port and injection (80 Mbps)	"src=1028,dst=231"	65025	17750	500	n/a	n/a	4 min	n/a	n/a
D4	Bogus port and injection (200 Mbps)	"src=1028,dst=231"	65025	44500	500	n/a	n/a	4 min	n/a	n/a
D5	Bogus port and injection (500 Mbps)	"src=1028,dst=231"	65025	110500	500	n/a	n/a	4 min	n/a	n/a
D6	Bogus port and injection (750 Mbps)	"src=1028,dst=231"	65025	170000	500	n/a	n/a	4 min	n/a	n/a
D7	Valid port and injection (10 Mbps)	"src=1037,dst=80"	65025	2300	500	n/a	n/a	4 min	n/a	n/a
D8	Valid port and injection (80 Mbps)	"src=1037,dst=80"	65025	17750	500	n/a	n/a	4 min	n/a	n/a
D9	Valid port and injection (200 Mbps)	"src=1037,dst=80"	65025	44500	500	n/a	n/a	4 min	n/a	n/a
D10	Valid port and injection (500 Mbps)	"src=1037,dst=80"	65025	110500	500	n/a	n/a	4 min	n/a	n/a
D11	Valid port and injection (750 Mbps)	"src=1037,dst=80"	65025	170000	500	n/a	n/a	4 min	n/a	n/a
D12	Invalid traffic (64byte frames)	n/a	65025	20492	64	n/a	n/a	4 min	n/a	n/a

E - Engine flex
Test #	Test Name	background port / proto	addresses	pps	MTU size	concurrent sessions	connections per second	run-time	avg size of transaction	transactions per session
E1	Tool dry-run	HTTP	var	var	var	var	var	var	var	var
E2	HTTP (10 Mbps) + injection	HTTP	200	1610	1500	n/a	11	12 min	4.5KB	198
E3	HTTP (80 Mbps) + injection	HTTP	200	12566	1500	n/a	264	12 min	4.5KB	1556
E4	"HTTP (80 Mbps, 536 MSS) + injection"	HTTP	200	23823	576	n/a	275	12 min	4.5KB	1616
E5	HTTP (200 Mbps) + injection	HTTP	200	31367	1500	n/a	675	12 min	4.5KB	3871
E6	HTTP (500 Mbps) + injection	HTTP	10000	77237	1500	n/a	1681	12 min	4.5KB	8969
E7	"HTTP (500 Mbps, 536 MSS) + injection"	HTTP	10000	116493	576	n/a	500	12 min	4.5KB	8148
E8	HTTP (750 Mbps) + injection	HTTP	10000	123541	1500	n/a	3070	12 min	4.5KB	13560

F - Evasion List
Test #	Test Name	background port / proto	addresses	pps	MTU size	concurrent sessions	connections per second	run-time	avg size of transaction	transactions per session
F1	Basic IP Fragmentation (ordered 8-byte) [fragrouter F1]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F2	Basic IP Fragmentation (ordered 24-byte) [fragrouter F2]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F3	"Complex IP Fragmentation (ordered 8-byte IP fragments, one out of order) [fragrouter F3]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F4	"Complex IP Fragmentation (ordered 8-byte IP fragments, one duplicate) [fragrouter F4]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F5	"Complex IP Fragmentation (out of order 8-byte fragments, one duplicate) [fragrouter F5]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F6	"Complex IP Fragmentation (ordered 8-byte fragments, marked last frag first) [fragrouter F6]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F7	"Basic TCP segmentation (3-whs, ordered 1-byte segments, one out of order) [fragrouter T8]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F8	"Complex TCP Segmentation (3-whs, bad TCP checksum FIN/RST, ordered 1-byte segments) [fragrouter T1]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F9	"Complex TCP Segmentation (3-whs, ordered 1-byte segments, one duplicate) [fragrouter T3]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F10	"Complex TCP Segmentation (3-whs, ordered 1-byte segments, one overwriting) [fragrouter T4]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F11	"Complex TCP Segmentation (3-whs, ordered 2-byte segments, fwd-overwriting) [fragrouter T5]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F12	"Complex TCP Segmentation (3-whs, ordered 1-byte segments, interleaved null segments) [fragrouter T7]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F13	"Complex TCP Segmentation (3-whs, out of order 1-byte segments) [fragrouter T9]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F14	"Complex TCP Segmentation (3-whs, ordered 1-byte segments, interleaved SYN) [fragrouter C2]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F15	"Complex TCP Segmentation (ordered 1-byte null segments, 3-whs, ordered 1-byte segments) [fragrouter C3]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F16	"Complex TCP Segmentation (3-whs, RST, 3-whs, ordered 1-byte segments) [fragrouter R1]"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F17	"Delayed injection @ 100,000 sessions"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F18	"Delayed injection @ 250,000 sessions"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F19	"Delayed injection @ 500,000 sessions"	- -	- -	- -	- -	- -	- -	- -	- -	- -
F20	HTTP obfuscation (hex encoding)	- -	- -	- -	- -	- -	- -	- -	- -	- -
F21	HTTP obfuscation (double hex encoding)	- -	- -	- -	- -	- -	- -	- -	- -	- -
F22	HTTP obfuscation (Unicode / UTF-8 encoding)	- -	- -	- -	- -	- -	- -	- -	- -	- -
F23	HTTP obfuscation (self-referential directories) [whisker -I 2]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F24	HTTP obfuscation (premature URL ending) [whisker -I 3]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F25	HTTP obfuscation (prepend long string) [whisker -I 4]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F26	HTTP obfuscation (fake URL parameter) [whisker -I 5]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F27	HTTP obfuscation (case sensitivity) [whisker -I 7]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F28	HTTP obfuscation (Windows directory syntax) [whisker -I 8]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F29	HTTP obfuscation (session splicing) [whisker -I 9]	- -	- -	- -	- -	- -	- -	- -	- -	- -
F30	HTTP obfuscation (connection reuse)	- -	- -	- -	- -	- -	- -	- -	- -	- -
F31	HTTP obfuscation (version 0.9)	- -	- -	- -	- -	- -	- -	- -	- -	- -
F32	HTTP obfuscation (version 1.0)	- -	- -	- -	- -	- -	- -	- -	- -	- -
F33	HTTP obfuscation (version 1.1)	- -	- -	- -	- -	- -	- -	- -	- -	- -

G - In-line/Tap Test
Test #	Test Name	background port / proto	addresses	pps	MTU size	concurrent sessions	connections per second	run-time	avg size of transaction	transactions per session
G1	Tool dry-run	HTTP	10000	- -	1500	- -	- -	12 min	4.5KB	- -
G2	HTTP (1500 Mbps) + injection	HTTP	10000	307934	1500	n/a	19583	12 min	4.5KB	31682

About OSEC | Test Criteria | Test Results | Resources