IDS mailing list archives
Re: Intrusion Prevention requirements document
From: ADT <synfinatic () gmail com>
Date: Mon, 14 Nov 2005 19:25:08 -0800
Sorry for being late to the party... I think what most people are forgetting about replay tools is that they're an easy way to CYA before you deploy a box inline on your network. Tomahawk, tcpreplay, and Traffic IQ all support taking pcap's of traffic captured on *your network* and running it through the IPS/whatever. If you've ever wondered about things like: - Is there legit traffic running on my network that this vendor incorrectly tags/drops as malicous? - Will this device fall over under load due to odd traffic patterns that occur on my network? Then I would suggest using a replay tool to find out since we all know that forwarding traffic forces the IPS/whatever to do more work then just sitting there and sniffing traffic on a tap/SPAN port. Replay tools are also great ways to do repeatable tests of malicous traffic since they support emulating the client and server side of the connection. Once you capture malicous traffic (which may crash the target or worse) you can replay that traffic in an enclosed testbed without worrying about having to "fix" the target for the next attack. Not useful in every situation, but there are cases where this is useful (think automated regression testing). Are replay tools the end-all and be-all of security tools? Hell no. And of course you can use a replay tool in a manner which negates their usefulness; just because you *can* do something doesn't mean it's valid for your environment. Regards, Aaron (who's somewhat biased as the author of the tcpreplay suite) ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Intrusion Prevention requirements document, (continued)
- RE: Intrusion Prevention requirements document Andy Cuff (Nov 08)
- RE: Intrusion Prevention requirements document -Apology Talisker (Nov 09)
- RE: Intrusion Prevention requirements document Arun Vishwanathan (Nov 07)
- RE: Intrusion Prevention requirements document FinAckSyn (Nov 09)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
- Re: Intrusion Prevention requirements document Mike Frantzen (Nov 14)
- Re: Intrusion Prevention requirements document Bob Walder (Nov 10)
- RE: Intrusion Prevention requirements document FinAckSyn (Nov 09)
- RE: Intrusion Prevention requirements document Andy Cuff (Nov 08)
- RE: Intrusion Prevention requirements document vendortrebuchet (Nov 07)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
- RE: Intrusion Prevention requirements document Chris Ralph (Nov 14)
- Re: Intrusion Prevention requirements document ADT (Nov 16)