Re: IDS Security Metris

["Jamie Riden" <jamie.riden () gmail com>]

On 06/04/07, Stefano Zanero <zanero () elet polimi it> wrote:
> > sadly, in the real world, things don't often come in nice round numbers.
>
> How true !
>
> Assuming that "metr-ic" means "something that is quantifiable":
>
> > Offhand, I can think of false negative rate,
>
> A good indicator. How would you quantify it ?

All good points. Probably the best way is to try one in the situation
you're thinking of deploying it in, to get a representative sample. If
it's a university, then you probably want to do it in term time, to
capture a representative sample. Then work through the alerts you get.

I know one of the Juniper boxes we looked at would do nearly 1Gbit/s -
provided you didn't turn on the deep packet inspection stuff, so the
feature set you enable is also going to make a difference here.

If we're talking snort, I didn't really like my boxes to be more than
20% cpu-bound either, to leave some headroom. If necessary, you can
use smart ethernet cards (see Endace) to offload some work off the box
itself.

As to the last, probably something like CANVAS or metasploit to
exercise the IDS and see how much it catches.

The great thing about snort is that it's very easy to knock up a
prototype and see if it's could meet your needs, where as getting test
hardware from vendors takes a bit more organsing. (I haven't played
with any of the other free iDSs so I can't comment on those.)

cheers,
Jamie
--
Jamie Riden, CISSP / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------