Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 2 Nov 2004 20:21:50 -0500
I'm the original author of Snort as well as the founder of Sourcefire (yes, it is called Sourcefire, I also came up with the name). What TippingPoint has released is basically tcpreplay with some connection testing functionality from what I can see. It's good to see them contributing to the open source community! Sourcefire makes Snort-based sensor and management infrastructure as well as cool technology like RNA, IDS is a component of what we do but not the whole sum of our offering.
Sourcefire continues to innovate in the IDS arena and contribute those innovations back to the open source security community. If you look at the development history of Snort over the past ~4 years since Sourcefire was founded you will see that we are dedicated to keeping the open source community on the cutting edge of Snort development. Recent examples include our new portscan detector and target-based defragmentation system that were developed internally at Sourcefire with Sourcefire dollars and then freely contributed back to the OSS community.
As far as pcaps are concerned, pcaps in a vacuum don't really add a whole lot beyond just testing basic detection capabilities. You need to have real high grade network testing equipment like the stuff Spirent makes so that you can develop normalized, repeatable test environments in which to test detection capabilities. Measuring latency, throughput, etc is also best done in an environment where you can setup repeatable test environments or at least where you can setup repeatable baseline environments to transmit your pcaps over the top of. Tcpreplay doesn't meet this requirement particularly well all by itself, nor will the TippingPoint software.
Greg Shipley and the Neohapsis guys can comment on this stuff better than I, but one thing that I've learned from building Sourcefire for the past ~4 years is that testing gigabit IDS/IPS systems requires considerable expertise and infrastructure if you want to do anything more than just test basic detection capability. 


     -Marty


On Nov 2, 2004, at 10:40 AM, kquest () toplayer com wrote:


I'm aware that SourceFire (or whatever it's called)
is backing up Snort; however, that's not how Snort started
(snort was already there when SourceFile was created,
 which is similar to what happened with zebra).
I'm sorry if my history of snort is not correct,
but I thought that's how it was. It's totally opposite
to what we have there, where we have.

There's also a difference between what's going on
with Snort and this tool. SourceFire makes an IDS
tool based on Snort where TippingPoint makes an IPS
device and this tool is suppose to test IPSes.

I do have have pcaps to contribute, but I'm definitely
not going to give them on a silver platter to TippingPoint.
We need a next generation IDS/IPS/whatever testing
tool that goes beyond simple pcap replay. We need something
that can take a pcap... then fully parse it (not just
data link,network, and transport layers) and then
have application intelligence to do something actually
useful with it (e.g., perform application fragmentation
for RPC, etc). The list goes on...

------------------------------------------------------------

- Kyle, Don't forget the 'snort' folks have just as much of a
vendor presence as TippingPoint or any other IDS vendor. TippingPoint
_may_ be trying to encourage use of their tool for IDS evolution as a
whole  much like snort has yet still has hopes they will get some
benefit from their free tool.

        Now do you have any pcaps to contribute to snort or the rest of
us packetninjas?

        -Dan
----------------------------------------------------------------------- --- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
----------------------------------------------------------------------- --- 



--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]