Been evaluating a few ids devices (not that impressed to tell the truth !
) and by accident found a common issue with the ones i am looking at.
They all detect nmap scans and nessus scans and flag them up, i changed the nmap-services file to a custom file i use with a very specific set of ports. None of the ids devices flagged up a scan for nmap
i have spoken to the vendors the general responses that they identify the scans by known finger prints from applications i.e the way nmap sequences the ports.the other thing they look for is connection to lots of ports from 1 ip over a set amount of time
Question is is there a proxy tool for BT to randomize the proxy address and allow more than just port 80 etc and a way to randomize the nessus scan ?
My view on the ids/ips is its not worth the investment and does not replace a correctly configured firewall and system.any thoughts on usefulness of ips?