Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[ISSForum] network sensor 7 performance
From: Nemesis_Sun (jeffameshotmail.com)
Date: Tue Jan 06 2004 - 11:30:17 CST
I have enabled the dropped packet notification on my NS V7.0 and one of the
sensors is reporting that is dropping a number of packets. Could the reason
below be an explanation?
----- Original Message -----
From: "Jeanne" <jhunt1mail.state.mo.us>
To: "Robert Graham" <robert_david_grahamyahoo.com>
Cc: "issforumatla-mm1.iss.net" <issforumiss.net>
Sent: Monday, January 05, 2004 9:03 PM
Subject: Re: [ISSForum] network sensor 7 performance
> Robert, Thanks for a great explanation. I am also looking to see if my
> sensor is dropping packets of not.
> I use RealSecure Network Sensors V. 7.
> Where do I change the configuration for
> SensorStatistics and
> Where do
> Robert Graham wrote:
> >Unless something is drastically wrong, the sensor generally doesn't drop
> >packets. Remember that RealSecure version 7.0 is roughly 10 times faster
> >RealSecure version 6.0, therefore, whereas v6 customers worried about
> >loss, v7 customers generally don't.
> >By far the best way to monitor the situation is the event
> >If enabled in the policy, it will trigger every 15-minutes, and include a
> >number of interesting numbers in the "event details" portion. One of the
> >important numbers counts the number of TCP "acknowledgements" for data
> >sensor didn't see. (In other words, the machine's on either end saw the
> >but the network sensor didn't). This will tell you when the sensor drops
> >packets, as well as when packets are being dropped before they reach the
> >sensor. A lot of customers have used this number to figure out that their
> >switch's monitor port was dropping occasional packets.
> >The sensor itself can tell you when it thinks it has dropped a packet
> >"SensorError" events, but I think "SensorStatistics" is better.
> >Note that you should never run an IDS under the condition where a certain
> >percentage of packets is being dropped. An IDS is either dropping
> >it isn't. Even a small number of dropped packets can lead to high numbers
> >false-positives and false-negatives. Part of the installation procedure
> >make sure it is installed in such a way that it isn't dropping packets.
> >other words, the SensorStatistic value of "tcp.nodataacks" should be
> >Robert Graham
> >Chief Scientist, ISS
> >--- "Johnson, Scott" <sjohnson1ercot.com> wrote:
> >>How can I monitor the network sensor for bandwidth allocation and what
> >>percentage of packets are being dropped?
> >>Scott Johnson, CISSP, GSEC
> >>ERCOT Cyber Security
> >>Office 512-248-3152
> >>Cell 512-917-9844
> >Robert Graham
> >play[http://www.robertgraham.com] work[http://iss.net]
> >"Security is mostly a superstition, it does not exist in nature" -- H.
> >Do you Yahoo!?
> >Find out what made the Top Yahoo! Searches of 2003
> >ISSForum mailing list
> >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> ISSForum mailing list
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo