Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention

from [ADT] Network Security [Permanent Link]
Subject: Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
Date: Sat, 6 Nov 2004 13:16:02 -0800 
(thread is getting long, so just going to snip the whole thing,
hopefully you kept a local copy)

Hey Greg/Marty,

I don't think anyone would argue that tcpreplay or tomahawk are
written for performance
testing of IDS or IPS.   I'm sure some people do that, but both have
rather limited use in that regards (you want to generate background
traffic using *your* network's traffic).  What tcpreplay and tomahawk
do rather well is provide the means to safely reproduce malicious
traffic for testing detection capabilities.

Unlike "live tests", tcpreplay/tomahawk don't require people to
distribute working exploit code
or attack an actual host which due to the nature of exploits will
likely have to be "fixed" in some
manner.  Unlike exploit code, there is no risk that a pcap will also
re-format your harddrive or
require you to install and configure a wide variety of operating
systems and applications to
attack.

Of course, unlike a "live test" there is some trust involved that the
pcap contains packets which
are relevant for the test you are running.   Wether or not this
precludes using either tool for being
used by someone evaluating an IDS/IPS probably depends on how much
they trust the pcaps.
For those people who don't want to trust pcaps and don't have the
means to get a library of working exploits, I'm sure Blade will be
more then happy to sell you IDS Informer (of course, now you have to
trust Blade, so you're just shifting your trust).

Of course if you already have a repository of valid pcaps (maybe
something the OSVDB guys could do?) with known attacks, then using
these tools probably make a lot of sense for certain kinds of tests.

Aaron, the tcpreplay guy

-- 
http://synfin.net/

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Snort signature packet generator, Graeme Connell
Next by Date:  Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk, Martin Roesch
Previous by Thread:  Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk, Greg Shipley
Next by Thread:  Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk, Martin Roesch
Indexes:  [Date] [Thread] [Top] [All Lists]