IDS mailing list archives
Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
From: ADT <synfinatic () gmail com>
Date: Sat, 6 Nov 2004 13:16:02 -0800
(thread is getting long, so just going to snip the whole thing, hopefully you kept a local copy) Hey Greg/Marty, I don't think anyone would argue that tcpreplay or tomahawk are written for performance testing of IDS or IPS. I'm sure some people do that, but both have rather limited use in that regards (you want to generate background traffic using *your* network's traffic). What tcpreplay and tomahawk do rather well is provide the means to safely reproduce malicious traffic for testing detection capabilities. Unlike "live tests", tcpreplay/tomahawk don't require people to distribute working exploit code or attack an actual host which due to the nature of exploits will likely have to be "fixed" in some manner. Unlike exploit code, there is no risk that a pcap will also re-format your harddrive or require you to install and configure a wide variety of operating systems and applications to attack. Of course, unlike a "live test" there is some trust involved that the pcap contains packets which are relevant for the test you are running. Wether or not this precludes using either tool for being used by someone evaluating an IDS/IPS probably depends on how much they trust the pcaps. For those people who don't want to trust pcaps and don't have the means to get a library of working exploits, I'm sure Blade will be more then happy to sell you IDS Informer (of course, now you have to trust Blade, so you're just shifting your trust). Of course if you already have a repository of valid pcaps (maybe something the OSVDB guys could do?) with known attacks, then using these tools probably make a lot of sense for certain kinds of tests. Aaron, the tcpreplay guy -- http://synfin.net/ -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk kquest (Nov 02)
- Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk Martin Roesch (Nov 03)
- Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk Greg Shipley (Nov 04)
- Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk ADT (Nov 08)
- Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk Martin Roesch (Nov 09)
- Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk Paul Palmer (Nov 09)
- Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk ADT (Nov 09)
- Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk Greg Shipley (Nov 04)
- Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk Martin Roesch (Nov 03)