IDS mailing list archives
Re: ICSA Labs Network IPS Testing
From: Stefano Zanero <s.zanero () securenetwork it>
Date: Tue, 04 Dec 2007 22:32:37 +0100
Hi, didn't mean to interfere in your ongoing flame, but:
IPS certification testing, I thought I ought to correct some misleading information
Oh, good, let's see! You don't mind if instead of going through your whitepapers I just use your own email as a source, right?
IPS certification testing program. The truth is that we do not "pick specific attacks and say that you must block these."
That's wonderful to hear. So, what do you do instead?
provides coverage protection for all attacks targeting an evolving set of medium-to-high severity vulnerabilities that we and a consortium of 15 network IPS vendors (http://www.icsalabs.com/icsa/topic.php?tid=6a87$5813f3e2-37b77ee3$3b4a- f1d4a32d) believe are relevant to enterprise end users.
So, you pick specific attacks (which are a snapshot of a set of vulnerabilities that you + the tested vendors believe are relevant) and say "you must block these", right ? This seems exactly the same sentence that Joel posted, only a bit more elaborate :) And just to shoot another shot in the dead horse of IDPS testing, testing MISUSE based detectors (as most IPS are) on "detection rate" is pointless. Testing them on coverage is tricky at best, and does not really provide any useful insight at all on IPS where (as Joel pointed out) having 60k signatures instead of 30k does not really mean anything. Oh, and on a side note:
a) is in no position to speak authoritatively about ICSA Labs network IPS testing,
The sheer fact that someone is "in no position to speak" about your tests means that your tests are lacking. If a test is properly documented and scientific, everybody is in a position to speak about it. In the particular case of Joel Snyder, who has been doing excellent tests for a long time, I'd say he is in a particularly good position to comment. If this email sounds harsh, well, it is. I just don't like people commenting AGAINST other people, instead than pointing out the specific flaws in their posts. Best, Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- ICSA Labs Network IPS Testing Walsh, John (Jack) (Dec 04)
- Re: ICSA Labs Network IPS Testing Stefano Zanero (Dec 05)
- Re: ICSA Labs Network IPS Testing Rahul K (Dec 11)
- RE: ICSA Labs Network IPS Testing Walsh, John (Jack) (Dec 12)
- Re: ICSA Labs Network IPS Testing Rahul K (Dec 11)
- Re: ICSA Labs Network IPS Testing Stefano Zanero (Dec 05)