Focus on IDS
Protocol coverage metrics... Mar 19 2009 11:10PM
kowsik (kowsik gmail com) (1 replies)
If all you have is a pcap with some protocol packets in it, how would
you know how much of the actual protocol specification (the possible
set of fields that the packets could carry) is being covered? This is
a useful metric to have when writing a dissector or IPS/DPI
signatures. This is much in the spirit of code coverage.

We used the Wireshark dissector documentation as the authoritative
reference and then indexed all the protocol fields in the repository
to see where we stand. You can check it out here:

http://www.pcapr.net/browse/fields

Besides, the index makes searching for pcaps with specific fields a
whole lot easier. Looking for a SIP pcap that contains the
WWW-Authenticate header? No problem, just type in
"field:sip.www.authenticate" in the search bar and off you go. How
about chunked-encoded HTTP stream with exploit.php? Search for
"field:http.transfer.encoding AND exploit.php".

Enjoy,

K.

[ reply ]
Re: Protocol coverage metrics... Mar 20 2009 04:21PM
Webmaster 003 (webmaster networkdefense biz) (1 replies)
Re: Protocol coverage metrics... Mar 20 2009 08:29PM
Aaron Turner (synfinatic gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus