IDS mailing list archives
Re: Protocol coverage metrics...
From: "Webmaster 003" <webmaster () networkdefense biz>
Date: Fri, 20 Mar 2009 11:21:54 -0500
Do you feel this is canonical, or would others have widely different results?
On Thu, 19 Mar 2009 18:10:17 -0500, kowsik <kowsik () gmail com> wrote:
If all you have is a pcap with some protocol packets in it, how would you know how much of the actual protocol specification (the possible set of fields that the packets could carry) is being covered? This is a useful metric to have when writing a dissector or IPS/DPI signatures. This is much in the spirit of code coverage. We used the Wireshark dissector documentation as the authoritative reference and then indexed all the protocol fields in the repository to see where we stand. You can check it out here: http://www.pcapr.net/browse/fields Besides, the index makes searching for pcaps with specific fields a whole lot easier. Looking for a SIP pcap that contains the WWW-Authenticate header? No problem, just type in "field:sip.www.authenticate" in the search bar and off you go. How about chunked-encoded HTTP stream with exploit.php? Search for "field:http.transfer.encoding AND exploit.php". Enjoy, K.
-- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Current thread:
- Protocol coverage metrics... kowsik (Mar 20)
- Re: Protocol coverage metrics... Webmaster 003 (Mar 20)
- Re: Protocol coverage metrics... Aaron Turner (Mar 20)
- Re: Protocol coverage metrics... Webmaster 003 (Mar 20)