RE: Firewall Tester 0.6
From: Marcus J. Ranum (mjr@nfr.com)Date: 04/11/02
- Previous message: How ya Doin: "GB IDS solutions"
- In reply to: Steve: "RE: Firewall Tester 0.6"
- Next in thread: Bennett Todd: "Re: Firewall Tester 0.6"
- Next in thread: Brian: "Re: Firewall Tester 0.6"
- Reply: Bennett Todd: "Re: Firewall Tester 0.6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Apr 2002 11:48:40 -0400 To: "Steve" <steve@securesolutions.org>, "'Greg Shipley'" <gshipley@neohapsis.com>, "'Andrea Barisani'" <lcars@infis.univ.trieste.it> From: "Marcus J. Ranum" <mjr@nfr.com>
Steve wrote:
>I agree with Greg on this point. In theory, if you replay 100 signature
>files the IDS should detect 100/100 of the "attacks". If you actually
>do the attacks themselves you are performing a true test.
It's actually worse! If you're replaying signature fragments what
you're doing is benchmarking the IDS' ability to generate false
positives!! That's _NOT_ a "feature" ;)
We had a case where a tester played snort-sig fragments at an NFR
and the NFR didn't generate a single false alarm. Why? Because
there was no actual hostile traffic. It did the right thing. A
lesser system would have generated a ton of false alarms and
irritated the heck out of the administrator, which would have been
the wrong thing to do because there was no actual attack or even
threat.
mjr.
--- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com
- Previous message: How ya Doin: "GB IDS solutions"
- In reply to: Steve: "RE: Firewall Tester 0.6"
- Next in thread: Bennett Todd: "Re: Firewall Tester 0.6"
- Next in thread: Brian: "Re: Firewall Tester 0.6"
- Reply: Bennett Todd: "Re: Firewall Tester 0.6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
