IDS mailing list archives

Re: TrafficIQ HTTP IE traffic coverage

From: "Abhishek Bhuyan" <abhuyan () gmail com>
Date: Thu, 12 Oct 2006 16:14:50 +0530

May be people are not as clever as you are? :) How about the latest
VML and setSlice() exploit? You don't even need to need to click
download. Some HIPS vendor do cover client side vulnerabilities. I
don't think it's wrong releasing such traffic by TrafficIQ.

-Abhishek



On 10/10/06, SanjayR <sanjayr () intoto com> wrote:

Hi All:
Few days ago, I got a chance to work on TrafficIQ (karalon IDS/IPS
evaluation device). With its latest update, Traffic IQ has traffic
for many attacks. A majority of HTTP traffic is related to IE crash
(or DoS). I have a doubt at this point. TrafficIQ is used to evaluate
IDS/IPS, which in turn is used to detect the sign of attacks and at
the same time, it should not become a bottleneck (esp. IPS) by taking
too much time to process packets. Therefore, the signatures should be
optimized well, which implies that number of signatures should be
kept as minimum as possible without compromising the internal network
security. From this standpoint, I have an opinion that all the IE (or
other clients) crash or DoS related signatures should have lowest
priority, because as such these attacking activities are not doing
any harm to internal network. (I may go a little further to say, such
signatures are not required!!!). One is going to a site which
contains a malicious file that causes IE to crash. so what..don't go
or don't download that.. anyway that file is bad.
If my assumption is correct and justified, then TrafficIQ, as an
IDS/IPS evaluation tool, should not contain such traffic. Such
traffic, as such, does not evaluate capabilities of an IDS/IPS
effectively. Has TrafficIQ included such traffic just to advertise
its high number of various attacks?
Please let me know if i have gone wrong with my assumtion.
thanks


Sanjay
Security Research Engineer
INTOTO Software (India) Private Limited


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

TrafficIQ HTTP IE traffic coverage SanjayR (Oct 11)
- Re: TrafficIQ HTTP IE traffic coverage Daniel DeLeo (Oct 12)
- Re: TrafficIQ HTTP IE traffic coverage Abhishek Bhuyan (Oct 12)
- Re: TrafficIQ HTTP IE traffic coverage Devdas Bhagat (Oct 13)
- <Possible follow-ups>
- Re: Re: TrafficIQ HTTP IE traffic coverage Sanjay R (Oct 12)
  - Re: Re: TrafficIQ HTTP IE traffic coverage Devdas Bhagat (Oct 13)
  - Re: Re: TrafficIQ HTTP IE traffic coverage Frank Knobbe (Oct 13)
- Re: TrafficIQ HTTP IE traffic coverage jimmywong78 (Oct 16)