IDS mailing list archives
Re: TrafficIQ HTTP IE traffic coverage
From: "Abhishek Bhuyan" <abhuyan () gmail com>
Date: Thu, 12 Oct 2006 16:14:50 +0530
May be people are not as clever as you are? :) How about the latest VML and setSlice() exploit? You don't even need to need to click download. Some HIPS vendor do cover client side vulnerabilities. I don't think it's wrong releasing such traffic by TrafficIQ. -Abhishek On 10/10/06, SanjayR <sanjayr () intoto com> wrote:
Hi All: Few days ago, I got a chance to work on TrafficIQ (karalon IDS/IPS evaluation device). With its latest update, Traffic IQ has traffic for many attacks. A majority of HTTP traffic is related to IE crash (or DoS). I have a doubt at this point. TrafficIQ is used to evaluate IDS/IPS, which in turn is used to detect the sign of attacks and at the same time, it should not become a bottleneck (esp. IPS) by taking too much time to process packets. Therefore, the signatures should be optimized well, which implies that number of signatures should be kept as minimum as possible without compromising the internal network security. From this standpoint, I have an opinion that all the IE (or other clients) crash or DoS related signatures should have lowest priority, because as such these attacking activities are not doing any harm to internal network. (I may go a little further to say, such signatures are not required!!!). One is going to a site which contains a malicious file that causes IE to crash. so what..don't go or don't download that.. anyway that file is bad. If my assumption is correct and justified, then TrafficIQ, as an IDS/IPS evaluation tool, should not contain such traffic. Such traffic, as such, does not evaluate capabilities of an IDS/IPS effectively. Has TrafficIQ included such traffic just to advertise its high number of various attacks? Please let me know if i have gone wrong with my assumtion. thanks Sanjay Security Research Engineer INTOTO Software (India) Private Limited ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- TrafficIQ HTTP IE traffic coverage SanjayR (Oct 11)
- Re: TrafficIQ HTTP IE traffic coverage Daniel DeLeo (Oct 12)
- Re: TrafficIQ HTTP IE traffic coverage Abhishek Bhuyan (Oct 12)
- Re: TrafficIQ HTTP IE traffic coverage Devdas Bhagat (Oct 13)
- <Possible follow-ups>
- Re: Re: TrafficIQ HTTP IE traffic coverage Sanjay R (Oct 12)
- Re: Re: TrafficIQ HTTP IE traffic coverage Devdas Bhagat (Oct 13)
- Re: Re: TrafficIQ HTTP IE traffic coverage Frank Knobbe (Oct 13)
- Re: TrafficIQ HTTP IE traffic coverage jimmywong78 (Oct 16)