Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
From: Martin Roesch (roesch_at_sourcefire.com)
Date: 11/08/04
- Previous message: Paul Palmer: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
- In reply to: ADT: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
- Next in thread: Don Parker: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 8 Nov 2004 13:20:54 -0500 To: ADT <synfinatic@gmail.com>
Hi Aaron,
I didn't mean to imply that tcpreplay was not useful, I just wanted to
caution people that there's a lot more to testing than just running
some pcaps in front of a device and seeing what it reports. I don't
think anyone would deny the usefulness of tcpreplay, we use it here for
testing all the time in our labs.
-Marty
On Nov 6, 2004, at 4:16 PM, ADT wrote:
> (thread is getting long, so just going to snip the whole thing,
> hopefully you kept a local copy)
>
> Hey Greg/Marty,
>
> I don't think anyone would argue that tcpreplay or tomahawk are
> written for performance
> testing of IDS or IPS. I'm sure some people do that, but both have
> rather limited use in that regards (you want to generate background
> traffic using *your* network's traffic). What tcpreplay and tomahawk
> do rather well is provide the means to safely reproduce malicious
> traffic for testing detection capabilities.
>
> Unlike "live tests", tcpreplay/tomahawk don't require people to
> distribute working exploit code
> or attack an actual host which due to the nature of exploits will
> likely have to be "fixed" in some
> manner. Unlike exploit code, there is no risk that a pcap will also
> re-format your harddrive or
> require you to install and configure a wide variety of operating
> systems and applications to
> attack.
>
> Of course, unlike a "live test" there is some trust involved that the
> pcap contains packets which
> are relevant for the test you are running. Wether or not this
> precludes using either tool for being
> used by someone evaluating an IDS/IPS probably depends on how much
> they trust the pcaps.
> For those people who don't want to trust pcaps and don't have the
> means to get a library of working exploits, I'm sure Blade will be
> more then happy to sell you IDS Informer (of course, now you have to
> trust Blade, so you're just shifting your trust).
>
> Of course if you already have a repository of valid pcaps (maybe
> something the OSVDB guys could do?) with known attacks, then using
> these tools probably make a lot of sense for certain kinds of tests.
>
> Aaron, the tcpreplay guy
>
> --
> http://synfin.net/
>
> -----------------------------------------------------------------------
> ---
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> -----------------------------------------------------------------------
> ---
>
>
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Paul Palmer: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
- In reply to: ADT: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
- Next in thread: Don Parker: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
