IDS mailing list archives
RE: Testing IDS with tcpreplay
From: "Prashant Khandelwal" <prashant () juniper net>
Date: Thu, 16 Feb 2006 10:59:53 +0530
Ok, adding more to this discussion, Tcpreply becomes very handy in scenarios where complex application protocol based attacks have to be tested. In this case a quicker way would be editing the existing pcaps with tools like netdude and then tcpreplay it :-) .A good example would be testing Overflow protocol anomalies using pcap editing. I would say tcpreplay along with real time exploits/tools is the best way to do it. <snip> Obviously the biggest limitation of tcpreplay is it doesn't come with a library of pcaps. Maybe one of these days I can figure out the logistics to make that happen and encourage people to actually submit pcaps (which people tend to worry might have some kind of confidential IP in them) rather then just leech off everyone else. If anyone has any bright ideas I'd love to hear them. </snip> Well if its matter of hiding ip address and sensitive information then, I guess tests which are run with private ip address in labs can be captured and shared... just a thought... Thanks Prashant -----Original Message----- From: Aaron Turner [mailto:synfinatic () gmail com] Sent: Wednesday, February 15, 2006 5:27 AM To: ehanselman () netscape net Cc: focus-ids () securityfocus com Subject: Re: Testing IDS with tcpreplay Generally speaking, tcpreplay is better when one or more of the following is true: 1) Trying to do comparative analysis and you want to make sure each device sees exactly the same thing 2) Need to automate or do a lot of regression testing and want a stable and relatively simple lab environment 3) Already have a library of pcap's (either from customers, the wild or capturing traffic of real tools like Metasploit) 4) Don't want to worry about re-installing or fixing target systems after they've been 0wn3d. VMware of course helps, but there is still a lot more administrative overhead. 5) You don't want to have to install and then maintain 10's or 100's of applications and their operating systems to break into. In general, tcpreplay isn't all that useful IMHO when you're first starting off and "want to do some IDS/IPS testing" or only intend to run a few tests or tests only once or twice unless you already happen to have a nice pcap library. Obviously the biggest limitation of tcpreplay is it doesn't come with a library of pcaps. Maybe one of these days I can figure out the logistics to make that happen and encourage people to actually submit pcaps (which people tend to worry might have some kind of confidential IP in them) rather then just leech off everyone else. If anyone has any bright ideas I'd love to hear them. -- Aaron Turner http://synfin.net/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- useful real-life example of IDS/IPS, (continued)
- useful real-life example of IDS/IPS Shai Rubin (Feb 23)
- Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
- Re: Testing IDS with tcpreplay Ivan Arce (Feb 23)
- IPS test machine Terry Vernon (Feb 24)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 24)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 26)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 23)
- Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 26)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 19)
- RE: Testing IDS with tcpreplay Bhaarath (Feb 21)