icsa ips testing vulnerability set

While I was reviewing ICSA "Network IPS Corporate Testing Criteria" I really got the impression that they used a fairly outdated set of vulnerabilities.

Most of the 219 vulnerabilities they used date back from 2001-2004.
Only 18 of them are from 2005 and none are from 2006, altough the year hasn't really been vulnerability less.

It also seems that they didn't test any replays of client side stuff which is certainly something that's on the rise ...

Altough their list is pretty enterprise oriented I'm still missing stuff like tomcat, mysql, db2, malformed sip.

What do you think ?

Any pointers to exploits, applications that must be included in such an enterprise ready test ....



Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.