" I strongly believe that replay tools are NOT an effective way to test an
IPS:"
That's quite a bold statement to make. I agree that they are not a panacea
but not effective? If that was the case then why do tools such TCPReply,
Tomahawk and even the Metaspolit project exist other than to replay in a
controlled manner, live or pre-captured sessions of an exploit to its
natural conclusion? And why are these very tools used by the majority of
the security vendors to augment the design and validation of signatures not
to mention the testing labs in their relevant reports?
People use those replay tools because they're easy not because they're
effective. Gather 'round kids, it's story time about someone testing
with a replay tool. In order to test our 100Mb/s device they were using
one of the freely available pcap multipliers that generates tons of
traffic from just a few pcaps. Our device kept going into it's DoS
surviveability mode to prevent a total outage and the tester was getting
annoyed.
But why Mike? To generate that 100Mb of traffic it was actualling
simulating a network with 14K local hosts. Owwie. But it gets worse,
it also simulated a network that received 270 million unique visitors a
month and google only gets 80 million a month! It was actually pretty
cool to see the DoS surviveability stuff working so well under such a
massive attack against our state/statistics gathering.
There are also other problems with many replay tools that force the IPS
to serialize it's processing instead of parallelize or batch it's
processing.
.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
