Seems that at 60Mbps throughput, the NIDS packet drop rate is about 50%. My
questions is - at what drop rate can an IDS afford to experience before
becoming totally 'useless'? Can the IDS still detect a particular attack if
it drops just 1 of the packet? This is my biggest question actually. Thanks!

-Ken

-----Original Message-----
From: Matt.Carpenteralticor.com [mailto:Matt.Carpenteralticor.com]
Sent: Friday, January 25, 2002 9:46 PM
To: cgroutchrisgrout.com
Cc: 'Chad Gough'; focus-idslists.securityfocus.com;
kenpohnimanyahoo.com
Subject: RE: Generating Traffic to Stress Test IDS

>I'm sure that this is something that needs to be implemented by the
>vendor. For Snort, if you daemonized it, do a 'kill -USR1 pid' and it
>will dump stats to syslog. If not damonized, it will dump stats to the
>console. As for NFR, I know it does also send alerts anytime it begins to

>drop packets.
>
>Also keep in mind, it also REALLY depends on how many filters/signatures
>you are running. Vendor "A" may state one thing, but forget to mention
>that its barely running any filters at all.
>
>At 07:53 AM 1/25/2002 +0800, Ken Pohniman wrote:
>> From what I understand, a NIDS can typically handle up to 40Mbps of
traffic
>>at any one time before starting to drop packets aggresively. An IDS
>>Balancer, like that from TopLayer Networks, will be required, especially
if
>>you're talking about a GE network.
>>
>>Btw, regardless of what tool you use, does anyone knows how to check what
is
>>the packet drop rate on the IDS?
>>
>>Thanks!

Agreed. Most NT-based NIDS canNOT handle 40MB. The OS can't hardly handle
it. The "up-to" part is key.

_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]