IDS mailing list archives

Re: how to test IDS performance?

From: Matt Bing <mbing () nfr net>
Date: Wed, 2 Apr 2003 18:00:22 -0500

Latha Kris said:

Some of the features that the IDS can be tested for perfomance are 
- Is the IDS able to handle 100MBPS(or whatever load you need) HTTP 
traffic and inject attacks to see if it is able to detect attacks.
- Number of TCP/UDP sessions the IDS can handle at any time 
- At what load the IDS starts dropping packets with mixed amount of traffic
(HTTP, DNS, ICMP...)

The difficult part is generating this kind of traffic in a lab.


tcpreplay will let you replay traffic dumps at speeds as arbitrary as 
your hardware will allow:

http://tcpreplay.sourceforge.net

-- 
Matt Bing
NFR Security
Rapid Response Team

-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71

Current thread:

how to test IDS performance? Lau Ker Chea (Apr 01)
- RE: how to test IDS performance? Eric Hines (Apr 02)
- <Possible follow-ups>
- Re: how to test IDS performance? Latha Kris (Apr 02)
  - Re: how to test IDS performance? Matt Bing (Apr 03)