>> " I strongly believe that replay tools are NOT an effective way to test an >> IPS:" > That's quite a bold statement to make. I agree that they are not a panacea > but not effective? If that was the case then why do tools such TCPReply, > Tomahawk and even the Metaspolit project exist other than to replay in a > controlled manner, live or pre-captured sessions of an exploit to its > natural conclusion? And why are these very tools used by the majority of > the security vendors to augment the design and validation of signatures not > to mention the testing labs in their relevant reports?
People use those replay tools because they're easy not because they're effective. Gather 'round kids, it's story time about someone testing with a replay tool. In order to test our 100Mb/s device they were using one of the freely available pcap multipliers that generates tons of traffic from just a few pcaps. Our device kept going into it's DoS surviveability mode to prevent a total outage and the tester was getting annoyed. But why Mike? To generate that 100Mb of traffic it was actualling simulating a network with 14K local hosts. Owwie. But it gets worse, it also simulated a network that received 270 million unique visitors a month and google only gets 80 million a month! It was actually pretty cool to see the DoS surviveability stuff working so well under such a massive attack against our state/statistics gathering. There are also other problems with many replay tools that force the IPS to serialize it's processing instead of parallelize or batch it's processing. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
