IDS mailing list archives
Re: icsa ips testing vulnerability set
From: Stefano Zanero <zanero () elet polimi it>
Date: Wed, 26 Jul 2006 14:50:44 +0200
Ronny Vaningh wrote:
While I was reviewing ICSA "Network IPS Corporate Testing Criteria" I
Disclaimer: didn't read that document, so I'm commenting on your comment.
really got the impression that they used a fairly outdated set of vulnerabilities.
The problem is more basic. You are thinking of a coverage test, meaning "let's see how many attacks they do block". Trouble is, this is misuse detection, so this does not make much sense. If you shoot at those appliances an attack they have a signature for, they'll almost invariably catch it. If it's a new attack, or one they don't have a signature for, they won't.
What do you think ?
From my point of view, testing IDS coverage in width, in particular in
misuse detection systems, is pointless. It makes slightly more sense to test for the ability to recognize classes of attacks. Further details on my black hat federal presentation that I won't spam anymore *eg* Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- icsa ips testing vulnerability set Ronny Vaningh (Jul 24)
- Re: icsa ips testing vulnerability set Stefano Zanero (Jul 26)
- RE: icsa ips testing vulnerability set Tim Holman (Jul 27)
- Re: icsa ips testing vulnerability set Stefano Zanero (Jul 26)