In my view, the test should be as comprehensive as possible. If you
choose not to put some rules into your IDS/IPS for good reasons,
that's fine, but I think the test should tell you every possible
exploit that can get through your IDS/IPS. You don't have to
configure your IDS a certain way just because a test told you to, the
point of the test is to give you information about your IDS that you
can use to configure it the way you feel is best.
That said, I haven't used TrafficIQ, and I don't work there. If you
feel that TrafficIQ is missing tests for some critical
vulnerabilities, and that the developers have neglected these in
order to write tests for IE DoS instead (maybe because it's easier to
write tests for the IE DoSes than for other vulnerabilities, but I
don't know if that's the case) that would be significant. On the
other hand, I don't think it is a big deal if they test more things
than you care about, that is better than testing fewer things than
you care about.
I think it is also important to keep in mind that IDS tests, Nessus
scans, and the like are supposed to be interpreted by qualified
individuals. If you are having a problem like your boss freaking out
because the test results say that your IDS isn't configured to
protect you from a long list of IE DoS vulnerabilities, and he
doesn't even know what the test results mean, that's a layer 8
problem, not a problem with the test. YOU obviously know you can
safely ignore all the test results that deal with IE DoS
vulnerabilities, the same way I know to ignore Nessus when it says
Apache 1.3 is vulnerable on my OpenBSD systems.
On Oct 10, 2006, at 1:40 AM, SanjayR wrote:
Hi All:
Few days ago, I got a chance to work on TrafficIQ (karalon IDS/IPS
evaluation device). With its latest update, Traffic IQ has traffic
for many attacks. A majority of HTTP traffic is related to IE crash
(or DoS). I have a doubt at this point. TrafficIQ is used to
evaluate IDS/IPS, which in turn is used to detect the sign of
attacks and at the same time, it should not become a bottleneck
(esp. IPS) by taking too much time to process packets. Therefore,
the signatures should be optimized well, which implies that number
of signatures should be kept as minimum as possible without
compromising the internal network security. From this standpoint, I
have an opinion that all the IE (or other clients) crash or DoS
related signatures should have lowest priority, because as such
these attacking activities are not doing any harm to internal
network. (I may go a little further to say, such signatures are not
required!!!). One is going to a site which contains a malicious
file that causes IE to crash. so what..don't go or don't download
that.. anyway that file is bad.
If my assumption is correct and justified, then TrafficIQ, as an
IDS/IPS evaluation tool, should not contain such traffic. Such
traffic, as such, does not evaluate capabilities of an IDS/IPS
effectively. Has TrafficIQ included such traffic just to advertise
its high number of various attacks?
Please let me know if i have gone wrong with my assumtion.
thanks
Sanjay
Security Research Engineer
INTOTO Software (India) Private Limited
----------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?
module=Form&action=impact&campaign=intro_sfw to learn more.
----------------------------------------------------------------------
--
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
