IDS mailing list archives
Re: Testing IDS with tcpreplay
From: "Aaron Turner" <synfinatic () gmail com>
Date: Wed, 22 Feb 2006 23:40:45 -0800
Hey Greg, I think you make some good points. If I could dare to offer to summarize your argument against replay tools it would be "garbage in, garbage out". And it's something I'd have to agree with 100%. If you're not willing to take the time to make sure your captures contain the "correct" information (however that might be defined) then you're asking for trouble. It's one of the reasons why I haven't tried making pcaps available for public consumption. I hope nobody thinks tcpreplay/tomahawk/IDS Informer/TrafficIQ are the best solution for the entire IDS/IPS testing space, because they're clearly not. There are some areas (like regression) where it tends to work well (at least certain vendors have told me so) and others where it falls flat. It may not be 100% accurate, but doing valid tests 90% of the time is better then no tests 100% of the time. IMHO, the difference between "actual attacks" and "specific sequence of packets" is that you haven't verified that your sequence of packets is the correct representation of the actual attack. In a controlled lab environment, it's not hard, but it takes effort and people like shortcuts. (Note to those still reading: If you're not including that shell, reverse socket or whatever in your pcap showing the attack was sucessful, you're leaving out important information.) Luckly for everyone there are plenty of free and commercial tools out there to fill your toolbox with. I encourage everyone to do their homework and figure out how to base-line their tools... after all these tools contain code developed by humans and probably have as many bugs as the devices they're testing. If you ever look at the tcpreplay changelog you'll know what I'm talking about. :) And now to summarize my email: YMMV. Regards, Aaron -- Aaron Turner http://synfin.net/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Testing IDS with tcpreplay Elias-Bachrach, Ari (HQ-WRH10) (Feb 13)
- Re: Testing IDS with tcpreplay ehanselman (Feb 14)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 15)
- Re: Testing IDS with tcpreplay Richard Bejtlich (Feb 19)
- Re: Testing IDS with tcpreplay Ivan Arce (Feb 21)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 22)
- Re: Testing IDS with tcpreplay Greg Shipley (Feb 22)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 23)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 24)
- useful real-life example of IDS/IPS Shai Rubin (Feb 23)
- Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 15)
- Re: Testing IDS with tcpreplay Ivan Arce (Feb 23)
- IPS test machine Terry Vernon (Feb 24)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 24)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 26)
- Re: Testing IDS with tcpreplay ehanselman (Feb 14)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 23)
- Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 26)