Re: icsa ips testing vulnerability set

[Stefano Zanero <zanero () elet polimi it>]

Ronny Vaningh wrote:
> While I was reviewing ICSA "Network IPS Corporate Testing Criteria" I

Disclaimer: didn't read that document, so I'm commenting on your comment.

> really got the impression that they used a fairly outdated set of
> vulnerabilities.

The problem is more basic.

You are thinking of a coverage test, meaning "let's see how many attacks
they do block". Trouble is, this is misuse detection, so this does not
make much sense. If you shoot at those appliances an attack they have a
signature for, they'll almost invariably catch it. If it's a new attack,
or one they don't have a signature for, they won't.

> What do you think ?

> From my point of view, testing IDS coverage in width, in particular in
misuse detection systems, is pointless. It makes slightly more sense to
test for the ability to recognize classes of attacks.

Further details on my black hat federal presentation that I won't spam
anymore *eg*

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------