IDS mailing list archives
RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk
From: Greg Shipley <gshipley () neohapsis com>
Date: Thu, 4 Nov 2004 14:34:16 -0600 (CST)
On Thu, 4 Nov 2004, Rob Shein wrote:
Oh, I have to disagree with this, and for a one-word reason: "open". Because it's an open-source tool, everyone can look into it and see how it works.
I hear ya, but reading code != understanding good testing methodology. But even if it did, do you believe that the average corporate product tester reads all the code to the tools that he or she uses? Much less understands it? SHOULD they read the code? Absolutely - if they've got the time and skill. Do they? Heh. From what I've seen in the past few have the time or skills...but maybe you have seen differently...
For example, before I'd even started reading this thread, Martin Roesch had chimed in with his own assessment of how it works. So if it's geared towards making any one vendor look better than all the others...well, they'd get caught at it right off, and it would have the opposite effect.
Again, good points, but I wish it were that simple. Can you honestly say that the average person can dissect pcap traffic dumps to the point where they are going to notice difference in, say, NOP sleds or targeted landing zones, when they watch the exploit code go across the wire? (I couldn't w/o the help of some of the exploit writers at Neo...and I live with this stuff!) And even if you did, could you PROVE that a vendor exploited service x in y manner just to avoid Vendor Z's detection? In principle I agree with what you are saying, but in reality I've found it to FAR more difficult - the issues aren't nearly that simple.
And also worth pointing out is that unlike the RDBMS example listed below, TippingPoint isn't even saying that their product is better with this tool. For that matter, they aren't making any claims at all; their release could just as easily have come from any researcher with no vendor ties, without being any different. They're only saying, "hey, this is a rapidly-growing technology, and there aren't any really tools for non-vendors to validate products...here's something we've come up with to get the ball rolling in that direction."
Really? Is the above what TippingPoint is saying with the following statement: "To date, the tools for testing NIPS have been expensive and limited in functionality. They are typically designed for testing other products, such as switches (e.g., SmartBits/ IXIA), server infrastructure (e.g., WebAvalanche), or Firewalls and Intrusion Detection Systems (Firewall Informer or IDS Informer). None of these tools simulate the harsh environment of real networks under attacks." (see http://tomahawk.sourceforge.net/) "None of these tools simulate" sounds an awful lot like they are stating their tool is indeed, "better" - but maybe that's just my interpretation. Did you interpret this differently? Thanks, -Greg -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk Clemens, Dan (Nov 02)
- RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk Mitchell Ashley (Nov 02)
- RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk Rob Shein (Nov 04)
- RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk Greg Shipley (Nov 04)
- RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk Rob Shein (Nov 04)
- RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk Mitchell Ashley (Nov 02)