Re: TrafficIQ HTTP IE traffic coverage

[Devdas Bhagat <devdas () dvb homelinux org>]

On 10/10/06 13:10 +0530, SanjayR wrote:
<snip>
> signatures are not required!!!). One is going to a site which 
> contains a malicious file that causes IE to crash. so what..don't go 
> or don't download that.. anyway that file is bad.

Uhm, and then someone has a nice, Javascripted link to it somewhere else?
If you use IE (including any of the rendering components), then you can
be threatened by any attack on them.

> If my assumption is correct and justified, then TrafficIQ, as an 
> IDS/IPS evaluation tool, should not contain such traffic. Such 

Why? Malicious files can be transferred in any way, and deployed to IE,
not necessarily only via port 80.

> traffic, as such, does not evaluate capabilities of an IDS/IPS 
> effectively. Has TrafficIQ included such traffic just to advertise 
> its high number of various attacks?

This should be detectable. AFAIK, many other programs use the IE
rendering engine to render HTML, including Outlook and Outlook Express.
A DoS attack against the rendering engine couldcome in via a carefully
crafted HTML message.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------