RE: Generating Traffic to Stress Test IDS

From: Chris Grout (cgrout@chrisgrout.com)
Date: 01/25/02 

Date: Thu, 24 Jan 2002 17:15:34 -0800
To: <kenpohniman@yahoo.com>, "'Chad Gough'" <chad131@yahoo.com>, <focus-ids@lists.securityfocus.com>
From: Chris Grout <cgrout@chrisgrout.com>

I'm sure that this is something that needs to be implemented by the
vendor. For Snort, if you daemonized it, do a 'kill -USR1 pid' and it
will dump stats to syslog. If not damonized, it will dump stats to the
console. As for NFR, I know it does also send alerts anytime it begins to
drop packets.

Also keep in mind, it also REALLY depends on how many filters/signatures
you are running. Vendor "A" may state one thing, but forget to mention
that its barely running any filters at all.

At 07:53 AM 1/25/2002 +0800, Ken Pohniman wrote:
> From what I understand, a NIDS can typically handle up to 40Mbps of traffic
>at any one time before starting to drop packets aggresively. An IDS
>Balancer, like that from TopLayer Networks, will be required, especially if
>you're talking about a GE network.
>
>Btw, regardless of what tool you use, does anyone knows how to check what is
>the packet drop rate on the IDS?
>
>Thanks!
>
>-----Original Message-----
>From: Chad Gough [mailto:chad131@yahoo.com]
>Sent: Thursday, January 24, 2002 11:27 PM
>To: focus-ids@lists.securityfocus.com
>Subject: Generating Traffic to Stress Test IDS
>
>
>Does anyone know of any good tools that can generate alot of network
>traffic to see at what point an IDS starts dropping packets?
>
>Thanks,
>Chad
>
>__________________________________________________
>Do You Yahoo!?
>Great stuff seeking new owners in Yahoo! Auctions!
>http://auctions.yahoo.com
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com

Relevant Pages

  • Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
    ... get it tested by someone other then the vendor. ... IPS devices are active devices and work by modifying ... >First, once the IPS responds, the remainder of the packets replayed ... >> testing of IDS or IPS. ...
    (Focus-IDS)
  • Re: Generating Traffic to Stress Test IDS
    ... subsystem, rule loading and settings on the ids, etc... ... of packets you did get. ... > you're talking about a GE network. ... > Great stuff seeking new owners in Yahoo! ...
    (Focus-IDS)
  • Re: IDS in a loadbalanced Network
    ... I'm confused about your comments regarding packets "tunneled within ... HSRP is Cisco's Hot Standby Routing Protocol. ... This is likely a vendor specific question. ... all of the links to the same IDS. ...
    (Focus-IDS)
  • RE: Generating Traffic to Stress Test IDS
    ... at any one time before starting to drop packets aggresively. ... the packet drop rate on the IDS? ... Does anyone know of any good tools that can generate alot of network ... Great stuff seeking new owners in Yahoo! ...
    (Focus-IDS)
  • RE: IDS testing...again [WAS: Re: (OpenBSD or Linux)]
    ... Subject: IDS testing...again ... How come vendor Y wasn't in there? ... I think the Mier tests left me with more questions then answers. ... This has been debated quite a bit on this (and other lists) in the past. ...
    (Focus-IDS)