RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk

[Greg Shipley <gshipley () neohapsis com>]

On Thu, 4 Nov 2004, Rob Shein wrote:

> Oh, I have to disagree with this, and for a one-word reason: "open".
> Because it's an open-source tool, everyone can look into it and see how it
> works.

I hear ya, but reading code != understanding good testing methodology.

But even if it did, do you believe that the average corporate product
tester reads all the code to the tools that he or she uses?  Much less
understands it?  SHOULD they read the code?  Absolutely - if they've got
the time and skill.  Do they?  Heh.  From what I've seen in the past few
have the time or skills...but maybe you have seen differently...


> For example, before I'd even started reading this thread, Martin Roesch
> had chimed in with his own assessment of how it works.  So if it's
> geared towards making any one vendor look better than all the
> others...well, they'd get caught at it right off, and it would have the
> opposite effect.

Again, good points, but I wish it were that simple.  Can you honestly say
that the average person can dissect pcap traffic dumps to the point where
they are going to notice difference in, say, NOP sleds or targeted landing
zones, when they watch the exploit code go across the wire?  (I couldn't
w/o the help of some of the exploit writers at Neo...and I live with this
stuff!)  And even if you did, could you PROVE that a vendor exploited
service x in y manner just to avoid Vendor Z's detection?

In principle I agree with what you are saying, but in reality I've found
it to FAR more difficult - the issues aren't nearly that simple.


> And also worth pointing out is that unlike the RDBMS example listed
> below, TippingPoint isn't even saying that their product is better with
> this tool. For that matter, they aren't making any claims at all; their
> release could just as easily have come from any researcher with no
> vendor ties, without being any different.  They're only saying, "hey,
> this is a rapidly-growing technology, and there aren't any really tools
> for non-vendors to validate products...here's something we've come up
> with to get the ball rolling in that direction."

Really?  Is the above what TippingPoint is saying with the following
statement:

"To date, the tools for testing NIPS have been expensive and limited in
functionality. They are typically designed for testing other products,
such as switches (e.g., SmartBits/ IXIA), server infrastructure (e.g.,
WebAvalanche), or Firewalls and Intrusion Detection Systems (Firewall
Informer or IDS Informer).  None of these tools simulate the harsh
environment of real networks under attacks."

(see http://tomahawk.sourceforge.net/)

"None of these tools simulate" sounds an awful lot like they are stating
their tool is indeed, "better" - but maybe that's just my interpretation.
Did you interpret this differently?

Thanks,

-Greg


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------