headers
Compton, Rich | 1 Nov 2004 18:00

TippingPoint Releases Open Source Code for First Intrusion Preven tion Test Tool, Tomahawk

FYI guys...

TippingPoint Releases Open Source Code for First Intrusion Prevention
Test Tool, Tomahawk 

AUSTIN, Texas - November 1, 2004 - TippingPoint Technologies, Inc. (NASDAQ:
TPTI), the leader in intrusion prevention, today announced the availability
and open source release of Tomahawk,TM the first test tool designed
specifically to evaluate the unique capabilities of network-based intrusion
prevention systems (IPS).

"TippingPoint is contributing Tomahawk to the public to make IPS testing
easier and more affordable for end users," said TippingPoint's Chief
Technology Officer Marc Willebeek-LeMair. "By enabling users to evaluate
security, performance, and usability in real world environments, we believe
it will accelerate the adoption of intrusion prevention and confirm its
necessity in today's threat environment. We believe the benefit of open
sourcing the tool to facilitate IPS testing outweighs the potential benefits
of commercializing the tool."  

An IPS is as much a networking device as it is a security device. Customers
should be confident that the IPS they buy will not adversely impact their
network and will perform security functions accurately. Although intrusion
prevention systems are gaining mainstream acceptance and recognized as a
best practice technology, tools for evaluating these systems are still
primitive. Designed for testing other security products, current tools are
expensive, limited in functionality, and unable to simulate the heavy load
of real networks under attack. 

TippingPoint developed Tomahawk to test the first network-based IPS in 2002,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Blyth A J C (Comp | 1 Nov 2004 17:28
Picon

Bot and Bot Nets

Greetings,

I an in the process of conducting a Research Project on how to stop Bots
and Bot-Nets. As part of that research project I am looking for people
who have captured a bots to please forward it to me so that it can for
part of our analysis. Please send all BOTS to the following address:

	Dr. Andrew Blyth
	Head of the Information Security Research Group
	School of Computing
	University of Glamorgan
	Pontypridd
	RCT
	CF37 1DL

	Tel:	+44 1443 48 2245
	Fax:  +44 1443 482715
	Email:ajcblyth <at> glam.ac.uk

Regards

Andrew

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
(Continue reading)

Permalink | Reply | 1 comment |
headers
Kyle Quest | 2 Nov 2004 04:20
Favicon

Re: TippingPoint Releases Open Source Code for First Intrusion Prevention Test Tool, Tomahawk

In-Reply-To: <B0DF0180764CDC4888BACFD27C84125F10CF8E27 <at> stl02mexc11.corp.chartercom.com>

TippingPoint is making some interesting claims here:
1. "the first test tool designed specifically 
    to evaluate the unique capabilities of 
    network-based intrusion prevention systems",
2. "end users can set up their own IPS test 
    beds free of charge",
3. "TippingPoint is contributing Tomahawk 
    to the public to make IPS testing
    easier and more affordable for end users"

The big questions are... how useful is it and 
what is the motivation behind it? This looks 
like yet another pcap replay tool (remember tcpreplay :-]) 
that doesn't bring much new to the table. 
The heart and the soul of tools like this is 
the set of test pcaps; however, it's very unlikely 
that TippingPoint will give away their pcaps 
(for the same reason NetScreen doesn't give 
away its pcaps for tcpreplay). Without that... 
there seems to be very little use for it. 
I'd like to quote something Aaron Turner
(creator of tcpreplay who works for NetScreen)
said in one of his emails: 
"...NetScreen, like probably most companies
 considiers our set of pcap's confidential; 
 mostly because the amount of work that goes 
 into creating them."
(Continue reading)

Permalink | Reply | 0 comments |
headers
Nick Black | 2 Nov 2004 08:12
Gravatar

Re: Bot and Bot Nets

Blyth A J C (Comp) assumed the extended riemann hypothesis and showed:
> I an in the process of conducting a Research Project on how to stop Bots
> and Bot-Nets. As part of that research project I am looking for people
> who have captured a bots to please forward it to me so that it can for
> part of our analysis. Please send all BOTS to the following address:

You may want to speak with a few members of Wenke Lee's IDS team at the
Georgia Tech Information Security Center (http://www.gtisc.gatech.edu/),
especially David Dagon.  They were looking into this topic the last time
I caught up, prior to RAID 2004.

--

-- 
nick black                  "np:  the class of dashed hopes and idle dreams."

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Marc Heuse | 2 Nov 2004 12:32

DIMVA 2005 - Call for Papers

----------------------------------------------------------------------------
---

                              CALL FOR PAPERS

                                 DIMVA 2005

                      Second GI SIG SIDAR Conference on
        Detection of Intrusions & Malware, and Vulnerability Assessment
       In Cooperation with the IEEE Task Force on Information Assurance

                              Vienna, Austria
                              July 7 - 8, 2005 

                        http://www.dimva.org/dimva2005
                            mailto:info <at> dimva.org

----------------------------------------------------------------------------
---

The special interest group Security - Intrusion Detection and Response
(SIDAR) 
of the German Informatics Society (GI) organizes DIMVA as an annual
conference 
that brings together experts from throughout Europe to discuss the state of
the 
art in the areas of intrusion detection, detection of malware, and
assessment 
of vulnerabilities. DIMVA emphasizes the collaboration and exchange of ideas
(Continue reading)

Permalink | Reply | 0 comments |
headers
Clemens, Dan | 2 Nov 2004 16:16
Favicon

RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk


 

	>What we need... is Snort for IPS/IDS/Firewall 
	>testing, which would be advanced by the security 
	>community and not by a commerical company who's 
	>business interests are in conflict with the purpose 
	>of the tool. 


	That's just my take on it... 


	- Kyle, Don't forget the 'snort' folks have just as much of a vendor presence as TippingPoint or any other
IDS vendor. TippingPoint _may_ be trying to encourage use of their tool for IDS evolution as a whole  much
like snort has yet still has hopes they will get some benefit from their free tool.

	Now do you have any pcaps to contribute to snort or the rest of us packetninjas?

	-Dan


Confidentiality Notice: This e-mail communication and any attachments may contain 
confidential and privileged information for the use of the designated recipients named above. If 
you are not the intended recipient, you are hereby notified that you have received this 
communication in error and that any review, disclosure, dissemination, distribution or 
copying of it or its contents is prohibited. If you have received this communication in 
error, please notify me immediately by replying to this message and deleting it from your 
computer. Thank you.
(Continue reading)

Permalink | Reply | 3 comments |
headers
kquest | 2 Nov 2004 16:40
Favicon

RE: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk

I'm aware that SourceFire (or whatever it's called) 
is backing up Snort; however, that's not how Snort started
(snort was already there when SourceFile was created, 
 which is similar to what happened with zebra).
I'm sorry if my history of snort is not correct,
but I thought that's how it was. It's totally opposite
to what we have there, where we have.

There's also a difference between what's going on
with Snort and this tool. SourceFire makes an IDS
tool based on Snort where TippingPoint makes an IPS
device and this tool is suppose to test IPSes.

I do have have pcaps to contribute, but I'm definitely
not going to give them on a silver platter to TippingPoint.
We need a next generation IDS/IPS/whatever testing
tool that goes beyond simple pcap replay. We need something
that can take a pcap... then fully parse it (not just
data link,network, and transport layers) and then
have application intelligence to do something actually
useful with it (e.g., perform application fragmentation
for RPC, etc). The list goes on...

------------------------------------------------------------

- Kyle, Don't forget the 'snort' folks have just as much of a
vendor presence as TippingPoint or any other IDS vendor. TippingPoint
_may_ be trying to encourage use of their tool for IDS evolution as a
whole  much like snort has yet still has hopes they will get some
benefit from their free tool.
(Continue reading)

Permalink | Reply | 6 comments |
headers
Compton, Rich | 2 Nov 2004 18:00

RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk

Why the heck would a pcap be confidential?  As far as I know the pcaps that
would be used in IPS testing would consist of some attack traffic (maybe
obfuscated w/ fragrouter) with a mix of valid traffic.  You replay the pcap
and verify that the attack traffic was blocked.  Anybody can generate and
record this traffic relatively easily.  Would it be because some IPSs work
well with certain types of traffic (pcaps) and not very well with others?
If so, then the community should share this information and these pcap files
to reproduce the results.  We could then make better informed decisions
about what is the right device to purchase for our networks.

-----Original Message-----
From: Kyle Quest [mailto:kquest <at> toplayer.com]
Sent: Monday, November 01, 2004 9:21 PM
To: focus-ids <at> securityfocus.com
Subject: Re: TippingPoint Releases Open Source Code for First Intrusion
Prevention Test Tool, Tomahawk

In-Reply-To:
<B0DF0180764CDC4888BACFD27C84125F10CF8E27 <at> stl02mexc11.corp.chartercom.com>

TippingPoint is making some interesting claims here:
1. "the first test tool designed specifically 
    to evaluate the unique capabilities of 
    network-based intrusion prevention systems",
2. "end users can set up their own IPS test 
    beds free of charge",
3. "TippingPoint is contributing Tomahawk 
    to the public to make IPS testing
    easier and more affordable for end users"
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mitchell Ashley | 2 Nov 2004 18:56
Favicon

RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk

Lets face it, any "open" IPS testing tool released by any IPS vendor will
have little industry or customer credibility. This is reminiscent of the
early RDMBS days when the vendors created their own proprietary benchmarks.
They had little credibility until the benchmark tests we defined, specified
and improved by industry standards groups. 

Caveat emptor.

. . .
Mitchell Ashley
CTO
StillSecure

303-881-9353 Mobile
303-381-3880 Fax

www.stillsecure.com
Reducing your risk has never been this easy.
. . .
The information transmitted is intended only for the person to which it is
addressed and may contain confidential material. Review or other use of this
information by persons other than the intended recipient is prohibited. If
you've received this in error, please contact the sender and delete from any
computer. 

-----Original Message-----
From: Clemens, Dan [mailto:Dan.Clemens <at> healthsouth.com] 
Sent: Tuesday, November 02, 2004 8:17 AM
To: Kyle Quest; focus-ids <at> securityfocus.com
Subject: RE: TippingPoint Releases Open Source Code for
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ron Gula | 3 Nov 2004 15:11
Favicon

RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk

At 11:00 AM 11/2/2004 -0600, Compton, Rich wrote:
>Why the heck would a pcap be confidential?

There is a great deal of effort in generating pcap files.

On one hand, if you have 'live' traffic captured from a
university or corporation, there is a ton of sensitive
data like email and password in it.

On the other hand, if you have a lab, and your IDS/IPS
guys have actually taken the time to configure several
*hundred* different target systems, generate traces for
the several *thousand* common attacks and throw in traces
of Nessus, NeWT, eEye, ISS, NMAP, .etc and then throw in
traces of the web attacks permutated with the dozen or
so evasion techniques, one can see that the sheer effort
of cataloging, capturing and maintaining this data makes
it confidential.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
Lightning   - Enterprise Security Manager
Thunder     - Enterprise Log Manager
NeVO        - Passive Vulnerability and Intrusion Sensor
Nessus/NeWT - Network and Host vulnerability Scanning

--------------------------------------------------------------------------
Test Your IDS
(Continue reading)

Permalink | Reply | 0 comments |

Gmane