RE: Generating Traffic to Stress Test IDS

From: Ken Pohniman (kenpohniman@yahoo.com)
Date: 01/25/02 

From: "Ken Pohniman" <kenpohniman@yahoo.com>
To: <Matt.Carpenter@alticor.com>, <cgrout@chrisgrout.com>
Date: Fri, 25 Jan 2002 22:04:17 +0800

Seems that at 60Mbps throughput, the NIDS packet drop rate is about 50%. My
questions is - at what drop rate can an IDS afford to experience before
becoming totally 'useless'? Can the IDS still detect a particular attack if
it drops just 1 of the packet? This is my biggest question actually. Thanks!

-Ken

-----Original Message-----
From: Matt.Carpenter@alticor.com [mailto:Matt.Carpenter@alticor.com]
Sent: Friday, January 25, 2002 9:46 PM
To: cgrout@chrisgrout.com
Cc: 'Chad Gough'; focus-ids@lists.securityfocus.com;
kenpohniman@yahoo.com
Subject: RE: Generating Traffic to Stress Test IDS

>I'm sure that this is something that needs to be implemented by the
>vendor. For Snort, if you daemonized it, do a 'kill -USR1 pid' and it
>will dump stats to syslog. If not damonized, it will dump stats to the
>console. As for NFR, I know it does also send alerts anytime it begins to

>drop packets.
>
>Also keep in mind, it also REALLY depends on how many filters/signatures
>you are running. Vendor "A" may state one thing, but forget to mention
>that its barely running any filters at all.
>
>At 07:53 AM 1/25/2002 +0800, Ken Pohniman wrote:
>> From what I understand, a NIDS can typically handle up to 40Mbps of
traffic
>>at any one time before starting to drop packets aggresively. An IDS
>>Balancer, like that from TopLayer Networks, will be required, especially
if
>>you're talking about a GE network.
>>
>>Btw, regardless of what tool you use, does anyone knows how to check what
is
>>the packet drop rate on the IDS?
>>
>>Thanks!

Agreed. Most NT-based NIDS canNOT handle 40MB. The OS can't hardly handle
it. The "up-to" part is key.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Relevant Pages

  • RE: Intrusion Prevention requirements document
    ... The tools consider one interface as "client" and other ... Packet 1 is first sent out on client interface. ... > my previous company was Blade Software where I developed IDS Informer ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • RE: Intrusion Prevention requirements document
    ... The tools consider one interface as "client" and other ... Packet 1 is first sent out on client interface. ... > The product uses two network cards and so the library of over 700 ... > my previous company was Blade Software where I developed IDS Informer ...
    (Focus-IDS)
  • RE: Value of "richer" signatures?
    ... Is it that much faster to do "protocol parsing" than ... > Here's an example of how the newer IDS signatures help ... > Let's say you are using a simple packet grepping IDS ...
    (Focus-IDS)
  • Re: Snort + (OpenBSD or Linux)
    ... Snort + (OpenBSD or Linux) ... many of them begin way before the IDS application even receives a single ... From there your NIC has to make interrupt requests to get more ... your OS for example) and then your application having to copy the packet ...
    (Focus-IDS)
  • Re: Signature vs. Protocol Analysis
    ... sigs of some sort to pass on useful information to the IDS operators. ... you've got the string matcher packet grepping folks. ... So which is more effective at "detection rates?" ...
    (Focus-IDS)