RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk

• Previous message: kquest_at_toplayer.com: "RE: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Next in thread: ADT: "Re: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk"
• Reply: ADT: "Re: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk"
• Maybe reply: Ron Gula: "RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ids@securityfocus.com
Date: Tue, 2 Nov 2004 11:00:58 -0600 

Why the heck would a pcap be confidential? As far as I know the pcaps that
would be used in IPS testing would consist of some attack traffic (maybe
obfuscated w/ fragrouter) with a mix of valid traffic. You replay the pcap
and verify that the attack traffic was blocked. Anybody can generate and
record this traffic relatively easily. Would it be because some IPSs work
well with certain types of traffic (pcaps) and not very well with others?
If so, then the community should share this information and these pcap files
to reproduce the results. We could then make better informed decisions
about what is the right device to purchase for our networks.

-----Original Message-----
From: Kyle Quest [mailto:kquest@toplayer.com]
Sent: Monday, November 01, 2004 9:21 PM
To: focus-ids@securityfocus.com
Subject: Re: TippingPoint Releases Open Source Code for First Intrusion
Prevention Test Tool, Tomahawk

In-Reply-To:
<B0DF0180764CDC4888BACFD27C84125F10CF8E27@stl02mexc11.corp.chartercom.com>

TippingPoint is making some interesting claims here:
1. "the first test tool designed specifically
    to evaluate the unique capabilities of
    network-based intrusion prevention systems",
2. "end users can set up their own IPS test
    beds free of charge",
3. "TippingPoint is contributing Tomahawk
    to the public to make IPS testing
    easier and more affordable for end users"

The big questions are... how useful is it and
what is the motivation behind it? This looks
like yet another pcap replay tool (remember tcpreplay :-])
that doesn't bring much new to the table.
The heart and the soul of tools like this is
the set of test pcaps; however, it's very unlikely
that TippingPoint will give away their pcaps
(for the same reason NetScreen doesn't give
away its pcaps for tcpreplay). Without that...
there seems to be very little use for it.
I'd like to quote something Aaron Turner
(creator of tcpreplay who works for NetScreen)
said in one of his emails:
"...NetScreen, like probably most companies
 considiers our set of pcap's confidential;
 mostly because the amount of work that goes
 into creating them."

What I'm trying to say is that given historical
data a tool like this backed by a company with
direct interest is not very likely to be useful.
More importantly it looks a bit like a marketing
trick (it's a bit ironic how a company who makes
an IPS device is giving away a tool to test IPS
devices).

What we need... is Snort for IPS/IDS/Firewall
testing, which would be advanced by the security
community and not by a commerical company who's
business interests are in conflict with the purpose
of the tool.

That's just my take on it...

Kyle

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: kquest_at_toplayer.com: "RE: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Next in thread: ADT: "Re: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk"
• Reply: ADT: "Re: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk"
• Maybe reply: Ron Gula: "RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: TippingPoint Releases Open Source Code for First Intrusion Prevention Test Tool, Tomahawk ... "end users can set up their own IPS test ... "TippingPoint is contributing Tomahawk ... the set of test pcaps; ... away its pcaps for tcpreplay). ... (Focus-IDS) Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk ... testing of IDS or IPS. ... or attack an actual host which due to the nature of exploits will ... unlike a "live test" there is some trust involved that the ... For those people who don't want to trust pcaps and don't have the ... (Focus-IDS)