Re: IDS Informer
From: Greg Shipley (gshipley@neohapsis.com)Date: 10/07/02
- Previous message: Scott Lee: "where can I find the proceedings of RAID2002?"
- In reply to: Delroy Gooden: "IDS Informer"
- Next in thread: Chad Skipper: "Re: IDS Informer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Oct 2002 02:09:07 -0500 (CDT) From: Greg Shipley <gshipley@neohapsis.com> To: Delroy Gooden <delroygooden@hotmail.com>
On Fri, 4 Oct 2002, Delroy Gooden wrote:
> Have been thinking about buying IDS Informer to test my ids rather than
> using Cybercop Scanner as it is defunkt, does anyone use the application or
> have any comments?
Two quick notes:
1. Cybercop Scanner (or most VA products, for that matter) is probably not
the best way to test your NIDS device, as the "attacks" aren't necessarily
"real" attacks. This topic seems to surface every few months or so - you
might want to start with the thread found here:
http://archives.neohapsis.com/archives/sf/ids/2002-q3/0232.html ...and
work your way backwards. I think this topic has been beaten to death
though, so I won't waste anyone's time on it.
2. I've heard mixed things about IDS Informer. Normally I'm not a big fan
of spreading hearsay, but the people that have pointed out some negative
things I consider to be VERY trusted sources. Primarily, I've heard that
some (many?) of the attacks Informer claims to replay are not exactly
accurate. This is obviously a problem if the tool claims it ran attack X,
and the IDS device doesn't detect it for VALID reasons. IMHO, Blade
should document what is known about their attack accuracy, or make some
sort of assurance that the attacks they claim to support are indeed,
legit.
If I get some free time (doubtful until Dec) I may try to dig through the
app and see for myself, but right now the thought of doing MORE
benchmarking vendor QA is a troubling one. I will say this, however: if
such a tool can be created it would make life a lot easier for testers.
Albeit, I'm skeptical. However, if you are just trying to test NIDS
processing thresholds, 5-20 attacks should be sufficient, IMHO.
-------------------
In short, until a tool comes out that is a) thorough, and b) has been
validated by trusted third-parties (who know how to test this stuff), I'd
stick with real attacks. (i.e. real exploit code)
My .02,
-Greg
- Previous message: Scott Lee: "where can I find the proceedings of RAID2002?"
- In reply to: Delroy Gooden: "IDS Informer"
- Next in thread: Chad Skipper: "Re: IDS Informer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
