IDS mailing list archives
Re: Antigen forwarded attachment
From: Raj Malhotra <ral.mal () gmail com>
Date: Fri, 3 Sep 2004 11:50:59 +0530
Hi All, Based on the good discussion and feedback we had w.r.t our question we conducted the following experiment: 1) aim was to have some kind of a system that allows us to view the complete session of an attacker. We used one machine to run "tcpdump" with "-w" option , one machine to run "snort" and "cisco 512" connected to the same 100Mbps hub. 2) 4 machines were used to run tcpreplay at 10Mbps (from each machine), to have an aggregate data rate of 25-30Mbps on the hub. There were two valid buffer-overflows in the traffic, and both were for the same vulnerability. 3) The machine configurations were as follows: for running snort and tcpdump: 100Mbps intel on-board NIC with e100 driver for Linux-RH-9.0 512 RAM, P4-2.0 MHz , IDE 40GB hard disk at 10,000 RPM two 66MHz, 64bit PCI buses Observations: 1) The two IDS were able to trigger an alert for the two attack streams 2) but tcpdump logged only one of them, and the other was logged partially (packets were dropped) Questions: 1) was the data rate too high for the particular machine configurations 2) do we need any modifications to the disk and network drivers to improve the performance 3) is there an issue with regard to the way PCI buses on the motherboard are associated with the cards connected to them. (one of the intel motherboard manual says, the speed of the bus will be equal to the speed of the slowest card plugged into that bus) any experiences with regard to the above queries will be appreciated. Thanks Raj -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Antigen forwarded attachment Raj Malhotra (Sep 03)
- Re: Antigen forwarded attachment Shashank Rai (Sep 05)