RE: Intrusion Prevention requirements document

["Chris Ralph" <cralph () karalon com>]

Mike,

You make an excellent point.  Replay tools can be effective when used in the
right context because they are simple and time-saving as well as providing
controlled repeatable testing but it is important not to group all the tools
under the same banner such as pcap multipliers.  

The ability for instance to replay 100's of malicious and standard protocol
files with user defined parameters without the need for additional hardware,
configuration or the huge amount research required to gather and validate
the binaries/exploits, is in my opinion and that of my clients very useful.

There are of course software solutions out there that purport to provide
load generation in the manner that you have described and these do need to
be used with care and understanding but Traffic IQ Pro is not one of them
and does not claim to be.

Tony




-----Original Message-----
From: Mike Frantzen [mailto:frantzen () nfr com] 
Sent: 10 November 2005 16:27
To: Tony Haywood
Cc: focus-ids () securityfocus com
Subject: Re: Intrusion Prevention requirements document

> > " I strongly believe that replay tools are NOT an effective way to 
> > test an IPS:"
> That's quite a bold statement to make.  I agree that they are not a 
> panacea but not effective?  If that was the case then why do tools 
> such TCPReply, Tomahawk and even the Metaspolit project exist other 
> than to replay in a controlled manner, live or pre-captured sessions 
> of an exploit to its natural conclusion?  And why are these very tools 
> used by the majority of the security vendors to augment the design and 
> validation of signatures not to mention the testing labs in their relevant
reports?

People use those replay tools because they're easy not because they're
effective.  Gather 'round kids, it's story time about someone testing with a
replay tool.  In order to test our 100Mb/s device they were using one of the
freely available pcap multipliers that generates tons of traffic from just a
few pcaps.  Our device kept going into it's DoS surviveability mode to
prevent a total outage and the tester was getting annoyed.

But why Mike?  To generate that 100Mb of traffic it was actualling
simulating a network with 14K local hosts.  Owwie.  But it gets worse, it
also simulated a network that received 270 million unique visitors a month
and google only gets 80 million a month!  It was actually pretty cool to see
the DoS surviveability stuff working so well under such a massive attack
against our state/statistics gathering.


There are also other problems with many replay tools that force the IPS to
serialize it's processing instead of parallelize or batch it's processing.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------