Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 11/08/04

  • Next message: Eric Hines: "RE: Snort signature packet generator"
    Date: Mon, 8 Nov 2004 13:20:54 -0500
    To: ADT <synfinatic@gmail.com>
    
    

    Hi Aaron,

    I didn't mean to imply that tcpreplay was not useful, I just wanted to
    caution people that there's a lot more to testing than just running
    some pcaps in front of a device and seeing what it reports. I don't
    think anyone would deny the usefulness of tcpreplay, we use it here for
    testing all the time in our labs.

           -Marty

    On Nov 6, 2004, at 4:16 PM, ADT wrote:

    > (thread is getting long, so just going to snip the whole thing,
    > hopefully you kept a local copy)
    >
    > Hey Greg/Marty,
    >
    > I don't think anyone would argue that tcpreplay or tomahawk are
    > written for performance
    > testing of IDS or IPS. I'm sure some people do that, but both have
    > rather limited use in that regards (you want to generate background
    > traffic using *your* network's traffic). What tcpreplay and tomahawk
    > do rather well is provide the means to safely reproduce malicious
    > traffic for testing detection capabilities.
    >
    > Unlike "live tests", tcpreplay/tomahawk don't require people to
    > distribute working exploit code
    > or attack an actual host which due to the nature of exploits will
    > likely have to be "fixed" in some
    > manner. Unlike exploit code, there is no risk that a pcap will also
    > re-format your harddrive or
    > require you to install and configure a wide variety of operating
    > systems and applications to
    > attack.
    >
    > Of course, unlike a "live test" there is some trust involved that the
    > pcap contains packets which
    > are relevant for the test you are running. Wether or not this
    > precludes using either tool for being
    > used by someone evaluating an IDS/IPS probably depends on how much
    > they trust the pcaps.
    > For those people who don't want to trust pcaps and don't have the
    > means to get a library of working exploits, I'm sure Blade will be
    > more then happy to sell you IDS Informer (of course, now you have to
    > trust Blade, so you're just shifting your trust).
    >
    > Of course if you already have a repository of valid pcaps (maybe
    > something the OSVDB guys could do?) with known attacks, then using
    > these tools probably make a lot of sense for certain kinds of tests.
    >
    > Aaron, the tcpreplay guy
    >
    > --
    > http://synfin.net/
    >
    > -----------------------------------------------------------------------
    > ---
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > -----------------------------------------------------------------------
    > ---
    >
    >

    -- 
    Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
    Sourcefire - Discover.  Determine.  Defend.
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Eric Hines: "RE: Snort signature packet generator"

    Relevant Pages

    • Re: Testing IDS with tcpreplay
      ... why is that harder to accomplish with Metasploit than with tcpreplay? ... If you are testing you IDS you'd like to know that it accurately detects ... Also what about attacks that Metasploit ...
      (Focus-IDS)
    • RE: Testing IDS with tcpreplay
      ... Verify that the exploit can compromise a host ... tcpreplay can be used, but it has some serious limitations. ... attacks get stopped the way they should. ... IDS works if you use real attacks with real obfuscation techniques. ...
      (Focus-IDS)
    • Re: Testing IDS with tcpreplay
      ... IDS works if you use real attacks with real obfuscation techniques. ... Metasploit is a great tool for this. ... why is that harder to accomplish with Metasploit than with tcpreplay? ...
      (Focus-IDS)
    • RE: Testing IDS with tcpreplay
      ... I think tcpreplay is a great tool to edit packets using tcprewrite ... I have found using both tcp replay and netdude extremely useful for ids ... a library of pcaps. ...
      (Focus-IDS)
    • RE: Testing IDS with tcpreplay
      ... protocol based attacks have to be tested. ... I would say tcpreplay along with real time exploits/tools is the best ... a library of pcaps. ...
      (Focus-IDS)