Re: Intrusion Prevention requirements document

[ADT <synfinatic () gmail com>]

Sorry for being late to the party...

I think what most people are forgetting about replay tools is that
they're an easy way to CYA before you deploy a box inline on your
network.  Tomahawk, tcpreplay, and Traffic IQ all support taking
pcap's of traffic captured on *your network* and running it through
the IPS/whatever.

If you've ever wondered about things like:
- Is there legit traffic running on my network that this vendor
incorrectly tags/drops as malicous?
- Will this device fall over under load due to odd traffic patterns
that occur on my network?

Then I would suggest using a replay tool to find out since we all know
that forwarding traffic forces the IPS/whatever to do more work then
just sitting there and sniffing traffic on a tap/SPAN port.

Replay tools are also great ways to do repeatable tests of malicous
traffic since they support emulating the client and server side of the
connection.  Once you capture malicous traffic (which may crash the
target or worse) you can replay that traffic in an enclosed testbed
without worrying about having to "fix" the target for the next attack.
 Not useful in every situation, but there are cases where this is
useful (think automated regression testing).

Are replay tools the end-all and be-all of security tools?  Hell no. 
And of course you can use a replay tool in a manner which negates
their usefulness; just because you *can* do something doesn't mean
it's valid for your environment.

Regards,
Aaron (who's somewhat biased as the author of the tcpreplay suite)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------