IDS mailing list archives
Re: Antigen forwarded attachment
From: Shashank Rai <shashrai () emirates net ae>
Date: Sun, 05 Sep 2004 07:44:16 +0400
Hi Raj, Even before exploring different h/w configurations i suggest you read paper by Luca Deri on the limitations of libpcap on linux and how to fine tune it, using his PF_RING patch: http://luca.ntop.org/Ring.pdf More details can be found at http://www.ntop.org/ntop.html. HTH -- Shashank Rai ------------ Network and Information Security Team, Emirates Telecommunication Corporation, Abu Dhabi, U.A.E. Ph: +971-2-6182523 Office +971-50-6670648 Cell GPG key: http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5 On Fri, 2004-09-03 at 10:20, Raj Malhotra wrote:
Hi All, Based on the good discussion and feedback we had w.r.t our question we conducted the following experiment: 1) aim was to have some kind of a system that allows us to view the complete session of an attacker. We used one machine to run "tcpdump" with "-w" option , one machine to run "snort" and "cisco 512" connected to the same 100Mbps hub. 2) 4 machines were used to run tcpreplay at 10Mbps (from each machine), to have an aggregate data rate of 25-30Mbps on the hub. There were two valid buffer-overflows in the traffic, and both were for the same vulnerability. 3) The machine configurations were as follows: for running snort and tcpdump: 100Mbps intel on-board NIC with e100 driver for Linux-RH-9.0 512 RAM, P4-2.0 MHz , IDE 40GB hard disk at 10,000 RPM two 66MHz, 64bit PCI buses Observations: 1) The two IDS were able to trigger an alert for the two attack streams 2) but tcpdump logged only one of them, and the other was logged partially (packets were dropped) Questions: 1) was the data rate too high for the particular machine configurations 2) do we need any modifications to the disk and network drivers to improve the performance 3) is there an issue with regard to the way PCI buses on the motherboard are associated with the cards connected to them. (one of the intel motherboard manual says, the speed of the bus will be equal to the speed of the slowest card plugged into that bus) any experiences with regard to the above queries will be appreciated. Thanks Raj
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Antigen forwarded attachment Raj Malhotra (Sep 03)
- Re: Antigen forwarded attachment Shashank Rai (Sep 05)