IDS mailing list archives
RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk
From: "Compton, Rich" <RCompton () chartercom com>
Date: Tue, 2 Nov 2004 11:00:58 -0600
Why the heck would a pcap be confidential? As far as I know the pcaps that would be used in IPS testing would consist of some attack traffic (maybe obfuscated w/ fragrouter) with a mix of valid traffic. You replay the pcap and verify that the attack traffic was blocked. Anybody can generate and record this traffic relatively easily. Would it be because some IPSs work well with certain types of traffic (pcaps) and not very well with others? If so, then the community should share this information and these pcap files to reproduce the results. We could then make better informed decisions about what is the right device to purchase for our networks. -----Original Message----- From: Kyle Quest [mailto:kquest () toplayer com] Sent: Monday, November 01, 2004 9:21 PM To: focus-ids () securityfocus com Subject: Re: TippingPoint Releases Open Source Code for First Intrusion Prevention Test Tool, Tomahawk In-Reply-To: <B0DF0180764CDC4888BACFD27C84125F10CF8E27 () stl02mexc11 corp chartercom com> TippingPoint is making some interesting claims here: 1. "the first test tool designed specifically to evaluate the unique capabilities of network-based intrusion prevention systems", 2. "end users can set up their own IPS test beds free of charge", 3. "TippingPoint is contributing Tomahawk to the public to make IPS testing easier and more affordable for end users" The big questions are... how useful is it and what is the motivation behind it? This looks like yet another pcap replay tool (remember tcpreplay :-]) that doesn't bring much new to the table. The heart and the soul of tools like this is the set of test pcaps; however, it's very unlikely that TippingPoint will give away their pcaps (for the same reason NetScreen doesn't give away its pcaps for tcpreplay). Without that... there seems to be very little use for it. I'd like to quote something Aaron Turner (creator of tcpreplay who works for NetScreen) said in one of his emails: "...NetScreen, like probably most companies considiers our set of pcap's confidential; mostly because the amount of work that goes into creating them." What I'm trying to say is that given historical data a tool like this backed by a company with direct interest is not very likely to be useful. More importantly it looks a bit like a marketing trick (it's a bit ironic how a company who makes an IPS device is giving away a tool to test IPS devices). What we need... is Snort for IPS/IDS/Firewall testing, which would be advanced by the security community and not by a commerical company who's business interests are in conflict with the purpose of the tool. That's just my take on it... Kyle -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk Compton, Rich (Nov 02)