Re: Antigen forwarded attachment

[Raj Malhotra <ral.mal () gmail com>]

Hi All,

Based on the good discussion and feedback we had w.r.t our question we
conducted the following experiment:

1) aim was to have some kind of a system that allows us to view the
complete session of an attacker. We used one machine to run "tcpdump"
with "-w" option , one machine to run "snort" and "cisco 512"
connected to the same 100Mbps hub.
2) 4 machines were used to run tcpreplay at 10Mbps (from each
machine), to have an aggregate data rate of 25-30Mbps on the hub.
There were two valid buffer-overflows in the traffic, and both were
for the same vulnerability.
3) The machine configurations were as follows:
      for running snort and tcpdump: 
      100Mbps intel on-board NIC with e100 driver for Linux-RH-9.0
      512 RAM, P4-2.0 MHz , IDE 40GB hard disk at 10,000 RPM
       two 66MHz, 64bit PCI buses
      
Observations:
1) The two IDS were able to trigger an alert for the two attack streams
2) but tcpdump logged only one of them, and the other was logged
partially (packets were dropped)

Questions:
1) was the data rate too high for the particular machine configurations
2) do we need any modifications to the disk and network drivers to
improve the performance
3) is there an issue with regard to the way PCI buses on the
motherboard are associated
with the cards connected to them. (one of the intel motherboard manual
says, the speed of the bus will be equal to the speed of the slowest
card plugged into that bus)

any experiences with regard to the above queries will be appreciated.

Thanks

Raj

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------