IDS mailing list archives
Re: IDS Security Metris
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Fri, 6 Apr 2007 10:15:31 +0100
On 06/04/07, Stefano Zanero <zanero () elet polimi it> wrote:
> sadly, in the real world, things don't often come in nice round numbers. How true ! Assuming that "metr-ic" means "something that is quantifiable": > Offhand, I can think of false negative rate, A good indicator. How would you quantify it ?
All good points. Probably the best way is to try one in the situation you're thinking of deploying it in, to get a representative sample. If it's a university, then you probably want to do it in term time, to capture a representative sample. Then work through the alerts you get. I know one of the Juniper boxes we looked at would do nearly 1Gbit/s - provided you didn't turn on the deep packet inspection stuff, so the feature set you enable is also going to make a difference here. If we're talking snort, I didn't really like my boxes to be more than 20% cpu-bound either, to leave some headroom. If necessary, you can use smart ethernet cards (see Endace) to offload some work off the box itself. As to the last, probably something like CANVAS or metasploit to exercise the IDS and see how much it catches. The great thing about snort is that it's very easy to knock up a prototype and see if it's could meet your needs, where as getting test hardware from vendors takes a bit more organsing. (I haven't played with any of the other free iDSs so I can't comment on those.) cheers, Jamie -- Jamie Riden, CISSP / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- IDS Security Metris jlynnmonett (Apr 05)
- Re: IDS Security Metris Jamie Riden (Apr 05)
- Re: IDS Security Metris Stefano Zanero (Apr 09)
- Re: IDS Security Metris Jamie Riden (Apr 09)
- IDS/IPS evaluation (was Re: IDS Security Metris) Tremaine Lea (Apr 09)
- Re: IDS Security Metris Stefano Zanero (Apr 09)
- Re: IDS Security Metris Eric Hacker (Apr 05)
- Re: IDS Security Metris dpat (Apr 09)
- Re: IDS Security Metris tim_holman (Apr 10)
- Re: IDS Security Metris Jamie Riden (Apr 05)