Re: Important Comments re: INtrusion Detection

["Michael T. Stolarchuk" <mts () rare net>]

> > From: Adam Shostack <adam () homeport org>
> > Subject: Re: Important Comments re: INtrusion Detection
> > To: kurt () abirnet com
> > Date: Wed, 18 Feb 1998 17:01:53 -0500 (EST)
> > Cc: tqbf () secnet com, darrenr () cyber com au, firewall-wizards () nfr net,
> >        craig () onshore com
> > X-Mailer: ELM [version 2.4ME+ PL27 (25)]
> > Sender: owner-firewall-wizards () nfr net
> > Reply-To: Adam Shostack <adam () homeport org>
> >
> > To expand: Assume a system running a 1 mip with a small memory that
> > can hold 100 packets for processing.  If processing each packet takes
> > 10,000 instructions, then the IDS can process a packet in 1/100 of a
> > second. 

Numbers?  Anybody want some numbers?

how about some more details about the data rates i'm playing with?
i'm currently trying to do some in depth sniffing of an active fddi.

The peak load times happen from about 11am to 5:30pm, AND from
about 1:am to 4:am.  The morning times load doesnt necessarily make
sense, but during that time, the primary unix machines are pulling
from file servers to verify and resync their contents...

Anyway, heres some of the number's i'm counting:

...
packets: 312578 (14995) chars: 201781570 (9799710)      cap: 201781570 (9799710) s: 21
Pcap packets 314156 (15151) drops 156 (0)
packets: 328342 (15764) chars: 212354495 (10572925)     cap: 212354495 (10572925) s: 22
Pcap packets 330135 (15979) drops 156 (0)
packets: 344221 (15879) chars: 222750424 (10395929)     cap: 222750424 (10395929) s: 23
Pcap packets 344580 (14445) drops 156 (0)
packets: 359096 (14875) chars: 232965332 (10214908)     cap: 232965332 (10214908) s: 24
Pcap packets 359607 (15027) drops 156 (0)
packets: 373883 (14787) chars: 242485226 (9519894)      cap: 242485226 (9519894) s: 25
Pcap packets 374821 (15214) drops 156 (0)
...
Pcap packets 597263 (14686) drops 156 (0)
packets: 613019 (16724) chars: 385336154 (9082500)      cap: 385336154 (9082500) s: 41
Pcap packets 614321 (17058) drops 156 (0)
packets: 627825 (14806) chars: 393689874 (8353720)      cap: 393689874 (8353720) s: 42
Pcap packets 629485 (15164) drops 156 (0)


This test is ONLY to verify the amount of traffic on this segment.
I have not yet activly begun trying to do much with the traffic.

The traffic for the first snapshop is between 9.7-10.5 Mb.
The packet counts during peak loading times varies between 15,000
and 18,000 packets per second.

That's the kinda firehose i want to validate against.

In this particular test, i'm only traying to validate that
i can read the entire stream into the process space, nothing
more.  i belive the packet drops count is the actual packet count
drops; its correctly counted.  One of the reasons i belive that
is the machine is about 80% idle.  

btw: its a small 200mhz pentium, with the dec fpa card.

mts.