Dailydave mailing list archives
Re: Commercial Fuzzers
From: Matt Hargett <matt () use net>
Date: Wed, 15 Feb 2006 10:35:59 +0000
Dave Aitel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RaMatkal wrote:Just wandering if anyone on this list has had any experience with a commercial fuzzer such as beStorm (http://www.beyondsecurity.com/BeStorm_Info.htm) and how it/they compare to open source equivalents such as SPIKE....I think we all over the last week have gotten a bit of experience with the ProtoVer fuzzer, which is probably a lot cheaper the the commercial Protos, but clearly produces results. :> I like how there's at least one mailing list left that allows a flood of 0day...
I keep hearing great things about Codenomicon for SIP and IKE testing. I also consistently hear that they are gouging their customers price-wise and that the quality of their UI keeps getting worse with each release. That being said, it seems to be the tool of choice for making Cisco, Juniper, NetGear, and other equipment completely shit the bed.
In my talk at the Software Security Summit I recommended people use a protocol-specific fuzzer rather than a generic fuzzer. It is just too much work to get decent code coverage in a generic fuzzer. That being said, any fuzzer for a given protocol should get at least 70% code coverage in an open source implementation of said protocol.
Fuzzing a whopping 20% of the FreeSWAN code isn't worth a dime, so ask whatever vendors you speak to for code coverage numbers.
Current thread:
- Proof of concept for CommuniGate Pro Server vulnerability Evgeny Legerov (Jan 31)
- Re: Proof of concept for CommuniGate Pro Server vulnerability KF (lists) (Jan 31)
- Re: Proof of concept for CommuniGate Pro Server vulnerability Evgeny Legerov (Jan 31)
- Re: Proof of concept for CommuniGate Pro Server vulnerability Dave Aitel (Feb 01)
- Commercial Fuzzers RaMatkal (Feb 15)
- Re: Commercial Fuzzers Dave Aitel (Feb 15)
- Re: Commercial Fuzzers Matt Hargett (Feb 15)
- Re: Commercial Fuzzers Gadi Evron (Feb 15)
- Re: Proof of concept for CommuniGate Pro Server vulnerability Evgeny Legerov (Jan 31)
- Re: Proof of concept for CommuniGate Pro Server vulnerability KF (lists) (Jan 31)