Re: IDS Security Metris

On 06/04/07, Stefano Zanero <zanero@xxxxxxxxxxxxxx> wrote:
> sadly, in the real world, things don't often come in nice round numbers.

How true !

Assuming that "metr-ic" means "something that is quantifiable":

> Offhand, I can think of false negative rate,

A good indicator. How would you quantify it ?

All good points. Probably the best way is to try one in the situation
you're thinking of deploying it in, to get a representative sample. If
it's a university, then you probably want to do it in term time, to
capture a representative sample. Then work through the alerts you get.

I know one of the Juniper boxes we looked at would do nearly 1Gbit/s -
provided you didn't turn on the deep packet inspection stuff, so the
feature set you enable is also going to make a difference here.

If we're talking snort, I didn't really like my boxes to be more than
20% cpu-bound either, to leave some headroom. If necessary, you can
use smart ethernet cards (see Endace) to offload some work off the box
itself.

As to the last, probably something like CANVAS or metasploit to
exercise the IDS and see how much it catches.

The great thing about snort is that it's very easy to knock up a
prototype and see if it's could meet your needs, where as getting test
hardware from vendors takes a bit more organsing. (I haven't played
with any of the other free iDSs so I can't comment on those.)

cheers,
Jamie
--
Jamie Riden, CISSP / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxx
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • Re: ids inquisition
    ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
    (Focus-IDS)
  • RE: IDS recommendations
    ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
    (Focus-IDS)
  • RE: "Free" IDS
    ... I am very surprised noone mentioned Demarc PureSecure IDS solution. ... It cost less than 2000.00 and it runs off of the snort engine and has a big ... if you want to learn snort then just read up on it. ...
    (Focus-IDS)
  • RE: Test tools for IDS
    ... "Sneeze" is great for Snort IDS. ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
    (Focus-IDS)
Quantcast