Re: IDS testing strategies
From: Robert Graham (robert_david_graham@yahoo.com)Date: 07/05/02
- Previous message: Kyle R. Hofmann: "Re: RFC: Forking Snort"
- In reply to: David W. Goodrum: "Re: IDS testing strategies"
- Next in thread: Bob Walder: "RE: IDS testing strategies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 4 Jul 2002 16:00:32 -0700 (PDT) From: Robert Graham <robert_david_graham@yahoo.com> To: "David W. Goodrum" <dgoodrum@nfr.com>
--- "David W. Goodrum" <dgoodrum@nfr.com> wrote:
> First, are you saying RS7.0 shows dropped packets now? How do you know
> you didn't drop any packets, or state for that matter?
RS7 has the ability to show dropped packets. It's off by default (personally, I
feel it should be on by default). Watching state get dropped is a debug feature
(counting the simultaneous sessions is likewise a debug feature).
> Was 700Mbps a burst, or a sustained rate? How long was it sustained?
> How long was the box in question actually up and running over all?
The box had been running for several days; the rate was roughly constant at
700-mbps while I was working with it. This was during the peak hours of the
day; I would assume the traffic would be less during the night.
> Did you have "record packet" turned "on" for your signatures, or were
> you merely alerting?
Just alerting. The event rate was only a couple per second; I doubt that
logging any extra data would have made a difference.
> What kind of hardware were you running on? (CPU type/speed, motherboard,
> and memory are the main factors that I'm aware of).
Dell 1550 with dual 1.0 GHz CPUs, 1-gig of RAM. One CPU was 15%-30% utilized,
the other was 60%-65% utilized (i.e. there was lots of "headroom" left).
> I should say that I don't doubt you entirely. NFR has seen similar
> results with their NID-320's at various customer sites, so I know true
> gigE is almost (thought not quite) within reach, but you've made a
> pretty bold statement in a very public forum, so I've got to ask these
> questions. (They're the same ones that always get asked of me!)
Both NFR and RealSecure have historically been the slower IDSs, focusing on
quality of signatures rather than performance. The reason that RealSecure 7 is
"surpisingly" faster than RealSecure 6 is that it puts the signatures on top of
the BlackICE engine. BlackICE has historically always been the fastest NIDS. (I
mean, if you look in public forums going back several years, I claimed that
BlackICE was ten times faster than RealSecure).
=====
Robert Graham
play[http://www.robertgraham.com] work[http://iss.net]
"Security is mostly a superstition, it does not exist in nature" -- H. Keller
__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
- Previous message: Kyle R. Hofmann: "Re: RFC: Forking Snort"
- In reply to: David W. Goodrum: "Re: IDS testing strategies"
- Next in thread: Bob Walder: "RE: IDS testing strategies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
