IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TrafficIQ HTTP IE traffic coverage

From: Daniel DeLeo <danielsdeleo () mac com>
Date: Wed, 11 Oct 2006 10:50:58 -0600
In my view, the test should be as comprehensive as possible. If you choose not to put some rules into your IDS/IPS for good reasons, that's fine, but I think the test should tell you every possible exploit that can get through your IDS/IPS. You don't have to configure your IDS a certain way just because a test told you to, the point of the test is to give you information about your IDS that you can use to configure it the way you feel is best.
That said, I haven't used TrafficIQ, and I don't work there. If you feel that TrafficIQ is missing tests for some critical vulnerabilities, and that the developers have neglected these in order to write tests for IE DoS instead (maybe because it's easier to write tests for the IE DoSes than for other vulnerabilities, but I don't know if that's the case) that would be significant. On the other hand, I don't think it is a big deal if they test more things than you care about, that is better than testing fewer things than you care about.
I think it is also important to keep in mind that IDS tests, Nessus scans, and the like are supposed to be interpreted by qualified individuals. If you are having a problem like your boss freaking out because the test results say that your IDS isn't configured to protect you from a long list of IE DoS vulnerabilities, and he doesn't even know what the test results mean, that's a layer 8 problem, not a problem with the test. YOU obviously know you can safely ignore all the test results that deal with IE DoS vulnerabilities, the same way I know to ignore Nessus when it says Apache 1.3 is vulnerable on my OpenBSD systems. 

On Oct 10, 2006, at 1:40 AM, SanjayR wrote:


Hi All:
Few days ago, I got a chance to work on TrafficIQ (karalon IDS/IPS evaluation device). With its latest update, Traffic IQ has traffic for many attacks. A majority of HTTP traffic is related to IE crash (or DoS). I have a doubt at this point. TrafficIQ is used to evaluate IDS/IPS, which in turn is used to detect the sign of attacks and at the same time, it should not become a bottleneck (esp. IPS) by taking too much time to process packets. Therefore, the signatures should be optimized well, which implies that number of signatures should be kept as minimum as possible without compromising the internal network security. From this standpoint, I have an opinion that all the IE (or other clients) crash or DoS related signatures should have lowest priority, because as such these attacking activities are not doing any harm to internal network. (I may go a little further to say, such signatures are not required!!!). One is going to a site which contains a malicious file that causes IE to crash. so what..don't go or don't download that.. anyway that file is bad. If my assumption is correct and justified, then TrafficIQ, as an IDS/IPS evaluation tool, should not contain such traffic. Such traffic, as such, does not evaluate capabilities of an IDS/IPS effectively. Has TrafficIQ included such traffic just to advertise its high number of various attacks? 
Please let me know if i have gone wrong with my assumtion.
thanks


Sanjay
Security Research Engineer
INTOTO Software (India) Private Limited
---------------------------------------------------------------------- -- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5? module=Form&action=impact&campaign=intro_sfw to learn more. ---------------------------------------------------------------------- -- 




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: