IDS mailing list archives
RE: Intrusion Prevention requirements document
From: "Chris Ralph" <cralph () karalon com>
Date: Thu, 10 Nov 2005 20:10:11 -0000
Mike, You make an excellent point. Replay tools can be effective when used in the right context because they are simple and time-saving as well as providing controlled repeatable testing but it is important not to group all the tools under the same banner such as pcap multipliers. The ability for instance to replay 100's of malicious and standard protocol files with user defined parameters without the need for additional hardware, configuration or the huge amount research required to gather and validate the binaries/exploits, is in my opinion and that of my clients very useful. There are of course software solutions out there that purport to provide load generation in the manner that you have described and these do need to be used with care and understanding but Traffic IQ Pro is not one of them and does not claim to be. Tony -----Original Message----- From: Mike Frantzen [mailto:frantzen () nfr com] Sent: 10 November 2005 16:27 To: Tony Haywood Cc: focus-ids () securityfocus com Subject: Re: Intrusion Prevention requirements document
" I strongly believe that replay tools are NOT an effective way to test an IPS:"That's quite a bold statement to make. I agree that they are not a panacea but not effective? If that was the case then why do tools such TCPReply, Tomahawk and even the Metaspolit project exist other than to replay in a controlled manner, live or pre-captured sessions of an exploit to its natural conclusion? And why are these very tools used by the majority of the security vendors to augment the design and validation of signatures not to mention the testing labs in their relevant
reports? People use those replay tools because they're easy not because they're effective. Gather 'round kids, it's story time about someone testing with a replay tool. In order to test our 100Mb/s device they were using one of the freely available pcap multipliers that generates tons of traffic from just a few pcaps. Our device kept going into it's DoS surviveability mode to prevent a total outage and the tester was getting annoyed. But why Mike? To generate that 100Mb of traffic it was actualling simulating a network with 14K local hosts. Owwie. But it gets worse, it also simulated a network that received 270 million unique visitors a month and google only gets 80 million a month! It was actually pretty cool to see the DoS surviveability stuff working so well under such a massive attack against our state/statistics gathering. There are also other problems with many replay tools that force the IPS to serialize it's processing instead of parallelize or batch it's processing. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Intrusion Prevention requirements document, (continued)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 07)
- RE: Intrusion Prevention requirements document Andy Cuff (Nov 08)
- RE: Intrusion Prevention requirements document -Apology Talisker (Nov 09)
- RE: Intrusion Prevention requirements document Arun Vishwanathan (Nov 07)
- RE: Intrusion Prevention requirements document FinAckSyn (Nov 09)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
- Re: Intrusion Prevention requirements document Mike Frantzen (Nov 14)
- Re: Intrusion Prevention requirements document Bob Walder (Nov 10)
- RE: Intrusion Prevention requirements document FinAckSyn (Nov 09)
- RE: Intrusion Prevention requirements document vendortrebuchet (Nov 07)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
- RE: Intrusion Prevention requirements document Chris Ralph (Nov 14)
- Re: Intrusion Prevention requirements document ADT (Nov 16)