Re: Testing IDS with tcpreplay

[Aaron Turner <synfinatic () gmail com>]

On 2/15/06, Prashant Khandelwal <prashant () juniper net> wrote:

> <snip>
> Obviously the biggest limitation of tcpreplay is it doesn't come with
> a library of pcaps.  Maybe one of these days I can figure out the
> logistics to make that happen and encourage people to actually submit
> pcaps (which people tend to worry might have some kind of confidential
> IP in them) rather then just leech off everyone else.  If anyone has
> any bright ideas I'd love to hear them.
> </snip>
>
> Well if its matter of hiding ip address and sensitive information then,
> I guess tests which are run with private ip address in labs can be
> captured and shared... just a thought...

Well IP addresses are only a part of it.   Rewriting a pcap stream to
change the IP addresses to be RFC1918 is actually pretty easy
(tcpreplay can do it for you if you'd like).   But some protocols
embed the server FQDN/IP in the application layer (HTTP's Host header
for example).  And things like usernames and passwords are probably a
bit more worrisome and tend to be more difficult to edit in a pcap
file.

Overall, unless you're capturing traffic in a dedicated lab
environment, most organizations (at least the ones I've talked to)
wouldn't be happy with wide distribution of traffic captures from
inside or at the perimeter of their network.

--
Aaron Turner
http://synfin.net/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------