Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: "Michael T. Stolarchuk" <mts () rare net>
Date: Thu, 19 Feb 1998 06:01:41 -0500
From: Adam Shostack <adam () homeport org> Subject: Re: Important Comments re: INtrusion Detection To: kurt () abirnet com Date: Wed, 18 Feb 1998 17:01:53 -0500 (EST) Cc: tqbf () secnet com, darrenr () cyber com au, firewall-wizards () nfr net, craig () onshore com X-Mailer: ELM [version 2.4ME+ PL27 (25)] Sender: owner-firewall-wizards () nfr net Reply-To: Adam Shostack <adam () homeport org> To expand: Assume a system running a 1 mip with a small memory that can hold 100 packets for processing. If processing each packet takes 10,000 instructions, then the IDS can process a packet in 1/100 of a second.
Numbers? Anybody want some numbers? how about some more details about the data rates i'm playing with? i'm currently trying to do some in depth sniffing of an active fddi. The peak load times happen from about 11am to 5:30pm, AND from about 1:am to 4:am. The morning times load doesnt necessarily make sense, but during that time, the primary unix machines are pulling from file servers to verify and resync their contents... Anyway, heres some of the number's i'm counting: ... packets: 312578 (14995) chars: 201781570 (9799710) cap: 201781570 (9799710) s: 21 Pcap packets 314156 (15151) drops 156 (0) packets: 328342 (15764) chars: 212354495 (10572925) cap: 212354495 (10572925) s: 22 Pcap packets 330135 (15979) drops 156 (0) packets: 344221 (15879) chars: 222750424 (10395929) cap: 222750424 (10395929) s: 23 Pcap packets 344580 (14445) drops 156 (0) packets: 359096 (14875) chars: 232965332 (10214908) cap: 232965332 (10214908) s: 24 Pcap packets 359607 (15027) drops 156 (0) packets: 373883 (14787) chars: 242485226 (9519894) cap: 242485226 (9519894) s: 25 Pcap packets 374821 (15214) drops 156 (0) ... Pcap packets 597263 (14686) drops 156 (0) packets: 613019 (16724) chars: 385336154 (9082500) cap: 385336154 (9082500) s: 41 Pcap packets 614321 (17058) drops 156 (0) packets: 627825 (14806) chars: 393689874 (8353720) cap: 393689874 (8353720) s: 42 Pcap packets 629485 (15164) drops 156 (0) This test is ONLY to verify the amount of traffic on this segment. I have not yet activly begun trying to do much with the traffic. The traffic for the first snapshop is between 9.7-10.5 Mb. The packet counts during peak loading times varies between 15,000 and 18,000 packets per second. That's the kinda firehose i want to validate against. In this particular test, i'm only traying to validate that i can read the entire stream into the process space, nothing more. i belive the packet drops count is the actual packet count drops; its correctly counted. One of the reasons i belive that is the machine is about 80% idle. btw: its a small 200mhz pentium, with the dec fpa card. mts.
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul McNabb (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul McNabb (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul McNabb (Feb 18)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 18)
- Re: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 18)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 19)
- Re: Important Comments re: INtrusion Detection Jonathan Care (Feb 19)
- Re: Important Comments re: INtrusion Detection Michael T. Stolarchuk (Feb 19)
- RE: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 19)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 19)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 20)
- Re: Important Comments re: INtrusion Detection marc (Feb 20)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 20)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)