Vulnerability scanning consists of looking for known vulnerabilities in known products. The traffic sent is very target-specific, as opposed to the traffic sent by the tools described Chapter 17, which require a lot of pseudorandom traffic.

A vulnerability scanner can execute intrusive or nonintrusive tests. An intrusive test tries to exercise the vulnerability, which can crash or alter the remote target. A non-intrusive test tries not to cause any harm to the target. The test usually consists of checking the remote service version, or checking whether the vulnerable options are enabled. Intrusive tests are typically much more accurate, but obviously they cannot be performed in a production environment. A nonintrusive test cannot determine for sure if a service installed is vulnerable, only if it might be vulnerable.

A vulnerability scanner such as Nessus (see Nessus) differs from a penetration tool by the manner in which it exploits vulnerabilities. A scanner ensures that the vulnerability exists, but doesn’t attempt to compromise the vulnerable software. A crash or degradation of the service is only a side effect of an intrusive test, not a goal.

I do not advise using any of the available vulnerability scanners to test an IDS. First, you can never be sure what type of test is performed. Checking the program version or what options are available generates legitimate traffic that should not be detected by an IDS. Even intrusive tests often do not exploit ...