Re: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk

[ADT <synfinatic () gmail com>]

Because IDS/IPS companies spend a fair amount of their time/effort
tracking down these exploits and capturing them for their internal
development, QA and competitive testing.  Unlike the AV industry the
IDS/IPS industry doesn't work together on detecting new exploits, and
hence if company A has a capture/exploit for a new worm before company
B then they can write a signature for it sooner and have better
coverage then their competition and beat their marketing drum louder.

-Aaron

-- 
http://synfin.net/

On Tue, 2 Nov 2004 11:00:58 -0600, Compton, Rich
<rcompton () chartercom com> wrote:
> Why the heck would a pcap be confidential?  As far as I know the pcaps that
> would be used in IPS testing would consist of some attack traffic (maybe
> obfuscated w/ fragrouter) with a mix of valid traffic.  You replay the pcap
> and verify that the attack traffic was blocked.  Anybody can generate and
> record this traffic relatively easily.  Would it be because some IPSs work
> well with certain types of traffic (pcaps) and not very well with others?
> If so, then the community should share this information and these pcap files
> to reproduce the results.  We could then make better informed decisions
> about what is the right device to purchase for our networks.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------