Re: Antigen forwarded attachment

From: Shashank Rai (shashrai_at_emirates.net.ae)
Date: 09/05/04

  • Next message: Andy Cuff: "Re: session logging IDS" 
    Date: Sun, 05 Sep 2004 07:44:16 +0400
To: Raj Malhotra <ral.mal@gmail.com>

    Hi Raj,

    Even before exploring different h/w configurations i suggest you read
    paper by Luca Deri on the limitations of libpcap on linux and
    how to fine tune it, using his PF_RING patch:
    http://luca.ntop.org/Ring.pdf

    More details can be found at http://www.ntop.org/ntop.html.

    HTH 

    -- 
Shashank Rai
------------
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523   Office
    +971-50-6670648  Cell
GPG key:
http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5
On Fri, 2004-09-03 at 10:20, Raj Malhotra wrote:
> Hi All,
> 
> Based on the good discussion and feedback we had w.r.t our question we
> conducted the following experiment:
> 
> 1) aim was to have some kind of a system that allows us to view the
> complete session of an attacker. We used one machine to run "tcpdump"
> with "-w" option , one machine to run "snort" and "cisco 512"
> connected to the same 100Mbps hub.
> 2) 4 machines were used to run tcpreplay at 10Mbps (from each
> machine), to have an aggregate data rate of 25-30Mbps on the hub.
> There were two valid buffer-overflows in the traffic, and both were
> for the same vulnerability.
> 3) The machine configurations were as follows:
>       for running snort and tcpdump: 
>       100Mbps intel on-board NIC with e100 driver for Linux-RH-9.0
>       512 RAM, P4-2.0 MHz , IDE 40GB hard disk at 10,000 RPM
>        two 66MHz, 64bit PCI buses
>       
> Observations:
> 1) The two IDS were able to trigger an alert for the two attack streams
> 2) but tcpdump logged only one of them, and the other was logged
> partially (packets were dropped)
> 
> Questions:
> 1) was the data rate too high for the particular machine configurations
> 2) do we need any modifications to the disk and network drivers to
> improve the performance
> 3) is there an issue with regard to the way PCI buses on the
> motherboard are associated
> with the cards connected to them. (one of the intel motherboard manual
> says, the speed of the bus will be equal to the speed of the slowest
> card plugged into that bus)
> 
> any experiences with regard to the above queries will be appreciated.
> 
> Thanks
> 
> Raj
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
  • Next message: Andy Cuff: "Re: session logging IDS"