IDS mailing list archives
Re: Intrusion Prevention requirements document
From: Mike Frantzen <frantzen () nfr com>
Date: Thu, 10 Nov 2005 11:27:12 -0500
" I strongly believe that replay tools are NOT an effective way to test an IPS:"That's quite a bold statement to make. I agree that they are not a panacea but not effective? If that was the case then why do tools such TCPReply, Tomahawk and even the Metaspolit project exist other than to replay in a controlled manner, live or pre-captured sessions of an exploit to its natural conclusion? And why are these very tools used by the majority of the security vendors to augment the design and validation of signatures not to mention the testing labs in their relevant reports?
People use those replay tools because they're easy not because they're effective. Gather 'round kids, it's story time about someone testing with a replay tool. In order to test our 100Mb/s device they were using one of the freely available pcap multipliers that generates tons of traffic from just a few pcaps. Our device kept going into it's DoS surviveability mode to prevent a total outage and the tester was getting annoyed. But why Mike? To generate that 100Mb of traffic it was actualling simulating a network with 14K local hosts. Owwie. But it gets worse, it also simulated a network that received 270 million unique visitors a month and google only gets 80 million a month! It was actually pretty cool to see the DoS surviveability stuff working so well under such a massive attack against our state/statistics gathering. There are also other problems with many replay tools that force the IPS to serialize it's processing instead of parallelize or batch it's processing. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Intrusion Prevention requirements document vendortrebuchet (Nov 03)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 07)
- RE: Intrusion Prevention requirements document Andy Cuff (Nov 08)
- RE: Intrusion Prevention requirements document -Apology Talisker (Nov 09)
- <Possible follow-ups>
- RE: Intrusion Prevention requirements document Arun Vishwanathan (Nov 07)
- RE: Intrusion Prevention requirements document FinAckSyn (Nov 09)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
- Re: Intrusion Prevention requirements document Mike Frantzen (Nov 14)
- Re: Intrusion Prevention requirements document Bob Walder (Nov 10)
- RE: Intrusion Prevention requirements document FinAckSyn (Nov 09)
- RE: Intrusion Prevention requirements document vendortrebuchet (Nov 07)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
- RE: Intrusion Prevention requirements document Chris Ralph (Nov 14)
- Re: Intrusion Prevention requirements document ADT (Nov 16)