RE: Testing IDS with tcpreplay



Ok, adding more to this discussion,
Tcpreply becomes very handy in scenarios where complex application
protocol based attacks have to be tested. In this case a quicker way
would be editing the existing pcaps with tools like netdude and then
tcpreplay it :-) .A good example would be testing Overflow protocol
anomalies using pcap editing.

I would say tcpreplay along with real time exploits/tools is the best
way to do it.

<snip>
Obviously the biggest limitation of tcpreplay is it doesn't come with
a library of pcaps. Maybe one of these days I can figure out the
logistics to make that happen and encourage people to actually submit
pcaps (which people tend to worry might have some kind of confidential
IP in them) rather then just leech off everyone else. If anyone has
any bright ideas I'd love to hear them.
</snip>

Well if its matter of hiding ip address and sensitive information then,
I guess tests which are run with private ip address in labs can be
captured and shared... just a thought...

Thanks
Prashant



-----Original Message-----
From: Aaron Turner [mailto:synfinatic@xxxxxxxxx] Sent: Wednesday,
February 15, 2006 5:27 AM
To: ehanselman@xxxxxxxxxxxx
Cc: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: Testing IDS with tcpreplay

Generally speaking, tcpreplay is better when one or more of the
following is true:

1) Trying to do comparative analysis and you want to make sure each
device sees exactly the same thing

2) Need to automate or do a lot of regression testing and want a
stable and relatively simple lab environment

3) Already have a library of pcap's (either from customers, the wild
or capturing traffic of real tools like Metasploit)

4) Don't want to worry about re-installing or fixing target systems
after they've been 0wn3d. VMware of course helps, but there is still
a lot more administrative overhead.

5) You don't want to have to install and then maintain 10's or 100's
of applications and their operating systems to break into.

In general, tcpreplay isn't all that useful IMHO when you're first
starting off and "want to do some IDS/IPS testing" or only intend to
run a few tests or tests only once or twice unless you already happen
to have a nice pcap library.

Obviously the biggest limitation of tcpreplay is it doesn't come with
a library of pcaps. Maybe one of these days I can figure out the
logistics to make that happen and encourage people to actually submit
pcaps (which people tend to worry might have some kind of confidential
IP in them) rather then just leech off everyone else. If anyone has
any bright ideas I'd love to hear them.

--
Aaron Turner
http://synfin.net/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
    ... I didn't mean to imply that tcpreplay was not useful, ... some pcaps in front of a device and seeing what it reports. ... > testing of IDS or IPS. ... > Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • RE: Testing IDS with tcpreplay
    ... I think tcpreplay is a great tool to edit packets using tcprewrite ... I have found using both tcp replay and netdude extremely useful for ids ... a library of pcaps. ...
    (Focus-IDS)
  • Re: Testing IDS with tcpreplay
    ... a library of pcaps. ... (tcpreplay can do it for you if you'd like). ... unless you're capturing traffic in a dedicated lab ...
    (Focus-IDS)
  • Re: Testing IDS with tcpreplay
    ... why is that harder to accomplish with Metasploit than with tcpreplay? ... Also what about attacks that Metasploit ... What is the different between "real exploit runs" vs. "replaying ...
    (Focus-IDS)
  • RE: Testing IDS with tcpreplay
    ... Verify that the exploit can compromise a host ... tcpreplay can be used, but it has some serious limitations. ... attacks get stopped the way they should. ... IDS works if you use real attacks with real obfuscation techniques. ...
    (Focus-IDS)