Because IDS/IPS companies spend a fair amount of their time/effort
tracking down these exploits and capturing them for their internal
development, QA and competitive testing. Unlike the AV industry the
IDS/IPS industry doesn't work together on detecting new exploits, and
hence if company A has a capture/exploit for a new worm before company
B then they can write a signature for it sooner and have better
coverage then their competition and beat their marketing drum louder.
-Aaron
--
http://synfin.net/
On Tue, 2 Nov 2004 11:00:58 -0600, Compton, Rich
<rcompton@chartercom.com> wrote:
Why the heck would a pcap be confidential? As far as I know the pcaps that
would be used in IPS testing would consist of some attack traffic (maybe
obfuscated w/ fragrouter) with a mix of valid traffic. You replay the pcap
and verify that the attack traffic was blocked. Anybody can generate and
record this traffic relatively easily. Would it be because some IPSs work
well with certain types of traffic (pcaps) and not very well with others?
If so, then the community should share this information and these pcap files
to reproduce the results. We could then make better informed decisions
about what is the right device to purchase for our networks.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
