Hi All:
Few days ago, I got a chance to work on TrafficIQ (karalon IDS/IPS
evaluation device). With its latest update, Traffic IQ has traffic
for many attacks. A majority of HTTP traffic is related to IE crash
(or DoS). I have a doubt at this point. TrafficIQ is used to evaluate
IDS/IPS, which in turn is used to detect the sign of attacks and at
the same time, it should not become a bottleneck (esp. IPS) by taking
too much time to process packets. Therefore, the signatures should be
optimized well, which implies that number of signatures should be
kept as minimum as possible without compromising the internal network
security. From this standpoint, I have an opinion that all the IE (or
other clients) crash or DoS related signatures should have lowest
priority, because as such these attacking activities are not doing
any harm to internal network. (I may go a little further to say, such
signatures are not required!!!). One is going to a site which
contains a malicious file that causes IE to crash. so what..don't go
or don't download that.. anyway that file is bad.
If my assumption is correct and justified, then TrafficIQ, as an
IDS/IPS evaluation tool, should not contain such traffic. Such
traffic, as such, does not evaluate capabilities of an IDS/IPS
effectively. Has TrafficIQ included such traffic just to advertise
its high number of various attacks?
Please let me know if i have gone wrong with my assumtion.
thanks
Sanjay
Security Research Engineer
INTOTO Software (India) Private Limited
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
