IDS mailing list archives

Re: Intrusion Prevention requirements document

From: Mike Frantzen <frantzen () nfr com>
Date: Thu, 10 Nov 2005 11:27:12 -0500

" I strongly believe that replay tools are NOT an effective way to test an
IPS:"

That's quite a bold statement to make.  I agree that they are not a panacea
but not effective?  If that was the case then why do tools such TCPReply,
Tomahawk and even the Metaspolit project exist other than to replay in a
controlled manner, live or pre-captured sessions of an exploit to its
natural conclusion?  And why are these very tools used by the majority of
the security vendors to augment the design and validation of signatures not
to mention the testing labs in their relevant reports?


People use those replay tools because they're easy not because they're
effective.  Gather 'round kids, it's story time about someone testing
with a replay tool.  In order to test our 100Mb/s device they were using
one of the freely available pcap multipliers that generates tons of
traffic from just a few pcaps.  Our device kept going into it's DoS
surviveability mode to prevent a total outage and the tester was getting
annoyed.

But why Mike?  To generate that 100Mb of traffic it was actualling
simulating a network with 14K local hosts.  Owwie.  But it gets worse,
it also simulated a network that received 270 million unique visitors a
month and google only gets 80 million a month!  It was actually pretty
cool to see the DoS surviveability stuff working so well under such a
massive attack against our state/statistics gathering.


There are also other problems with many replay tools that force the IPS
to serialize it's processing instead of parallelize or batch it's
processing.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Intrusion Prevention requirements document vendortrebuchet (Nov 03)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 07)
- RE: Intrusion Prevention requirements document Andy Cuff (Nov 08)
  - RE: Intrusion Prevention requirements document -Apology Talisker (Nov 09)
- <Possible follow-ups>
- RE: Intrusion Prevention requirements document Arun Vishwanathan (Nov 07)
  - RE: Intrusion Prevention requirements document FinAckSyn (Nov 09)
    - RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
    - Re: Intrusion Prevention requirements document Mike Frantzen (Nov 14)
    - Re: Intrusion Prevention requirements document Bob Walder (Nov 10)
- RE: Intrusion Prevention requirements document vendortrebuchet (Nov 07)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
- RE: Intrusion Prevention requirements document Chris Ralph (Nov 14)
  - Re: Intrusion Prevention requirements document ADT (Nov 16)