Focus on IDS
Protocol coverage metrics... Mar 19 2009 11:10PM
kowsik (kowsik gmail com) (1 replies)
Re: Protocol coverage metrics... Mar 20 2009 04:21PM
Webmaster 003 (webmaster networkdefense biz) (1 replies)
Do you feel this is canonical, or would others have widely different
results?

On Thu, 19 Mar 2009 18:10:17 -0500, kowsik <kowsik (at) gmail (dot) com [email concealed]> wrote:

> If all you have is a pcap with some protocol packets in it, how would
> you know how much of the actual protocol specification (the possible
> set of fields that the packets could carry) is being covered? This is
> a useful metric to have when writing a dissector or IPS/DPI
> signatures. This is much in the spirit of code coverage.
>
> We used the Wireshark dissector documentation as the authoritative
> reference and then indexed all the protocol fields in the repository
> to see where we stand. You can check it out here:
>
> http://www.pcapr.net/browse/fields
>
> Besides, the index makes searching for pcaps with specific fields a
> whole lot easier. Looking for a SIP pcap that contains the
> WWW-Authenticate header? No problem, just type in
> "field:sip.www.authenticate" in the search bar and off you go. How
> about chunked-encoded HTTP stream with exploit.php? Search for
> "field:http.transfer.encoding AND exploit.php".
>
> Enjoy,
>
> K.
>
>

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

[ reply ]
Re: Protocol coverage metrics... Mar 20 2009 08:29PM
Aaron Turner (synfinatic gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus