RE: IDS testing. Libs for packet capture.




Saiko,

I suggest you look into tomahawk (http://tomahawk.sourceforge.net/). It was developed specifically for testing IPS devices. It does not have quite as many options as tcpreplay now offers, but the essential functions required for IPS testing are provided. There are also sample pcaps of old exploits at the SourceForge project page:

http://sourceforge.net/project/showfiles.php?group_id=121410&package_id=132474
(Select the pcaps.tgz file under Extras)

Be aware that the online documentation and tutorial both refer to v1.0 of the code and are woefully out of date. I highly recommend v1.1. The changes/fixes from 1.0->1.1 are discussed in the Release Notes for v1.1 (http://tomahawk.sourceforge.net/CHANGES.txt)

David

Full Disclosure:
My opinion is somewhat biased because I rewrote the v1.0 code and submitted all the v1.1 changes.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of ????????? ?????
Sent: Tuesday, December 02, 2008 6:18 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: IDS testing. Libs for packet capture.

All,

I have been working in IDS testing. Now I'm focused on testing network
modules, like Snort, netstat, ect. I search for a tools to play
traffic from tcpdumps. Is anyone in the group working on something
like that? The idea is to develop some libpcap-like lib for playing
tcpdumps. The question is: had it been already done? Are there any
other common libs for packet captureing used in common IDSs?

---
Saiko Alexander

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: RE: IDS testing tools
    ... Nessus is a bad choice to test IDS as it is a vulnerability scanner. ... >Find out quickly and easily by testing it with real-world attacks from CORE ... >with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Host Based IDS
    ... Assunto: RE: Host Based IDS ... Anitian Enterprise Security ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • RE: IDS
    ... Subject: IDS ... Safe Access that does pretty much what you describe. ... Find out quickly and easily by testing it with real-world attacks from ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • RE: IDS event filtering
    ... It is important to avoid tuning out real attacks when they happen by having over-pruned the inside attack tree... ... > ingress - egress firewall rules, IDS configs, or whatever. ... > CORE IMPACT. ... > Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • RE: Fortinet IDS
    ... Their list of spyware and adware is limited, ... I believe they used Snort for their IDS. ... Find out quickly and easily by testing it with real-world attacks from CORE ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)