IDS mailing list archives
Re: IDS and Bandwidth
From: Mayank Bhatnagar <mayank () ncb ernet in>
Date: Tue, 5 Jul 2005 19:06:54 +0530 (IST)
hi bhaskar, Your problem is about monitoring IDS and bandwidth issues. I feel the architecture of your IDS could be the bottleneck. Try to troubleshoot on the following points 1) Are the number of nodes that are deployed separately processing/analysisng the traffic or are just dumping the same to the central master node for further processing. If its the latter then ofcourse you have duplicacy of traffic redirection that is happening, in that case see if you can possibly change the IDS nodes from (most probably) logging mode to detection mode. I presume thats not the case as you mentioned about the false positives. 2) If there is a possibility for your IDS nodes to accumulate the alerts at the nodes itself and you as an IDS operator them would have to bear the additional responsibility of managing them regularly ie "be on your toes" rather than depending on only the central master. I am pointing towards a Web based or Remote monitoring interface to your individual IDS agents. This will reduce the traffic flow. But then you reduce the chances of the central master to be doing any further processing, like for eg any correlation work/ alerts analysis work being carried out. 3) You can verify what kinds of false positives the IDS nodes generate and whether you can tune the individual to reduce the same.The manuals of your IDS could help in this regard and this is where an IDS operator's true skills are a test :) 4) Probably you can actually see what kind of traffic flow is it and verify that it is really generated by your IDS nodes. You need to confirm what kind of traffic it is and is it really coming from the IDS nodes only. Regards, Mayank On 5 Jul 2005 bhaskar.gupta () tcs com wrote:
Dear frendz I am working as an IDS operator in my company. Due to big size of the organisation, different IDS nodes are monitoring different centers through a central master node. Since there are lot of incidents ( including false positives ) generated across the organsation, there is a complaint from our networking team that IDS is consuming lot of bandwidth over networking I am really not able to figure out how much IDS can eat up network bandwidth. Please throw some light on this. cheers, Bhaskar -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS and Bandwidth bhaskar . gupta (Jul 04)
- Re: IDS and Bandwidth Tony Rall (Jul 05)
- Re: IDS and Bandwidth Fergus Brooks (Jul 05)
- Re: IDS and Bandwidth Michael Boman (Jul 05)
- Re: IDS and Bandwidth David W. Goodrum (Jul 05)
- Re: IDS and Bandwidth Mayank Bhatnagar (Jul 05)
- Re: IDS and Bandwidth Mark Teicher (Jul 05)
- <Possible follow-ups>
- RE: IDS and Bandwidth PPowenski (Jul 05)
- RE: IDS and Bandwidth MailTest (Jul 12)
- RE: IDS and Bandwidth THolman (Jul 13)
- RE: IDS and Bandwidth Nathan Davidson (Jul 15)
- RE: IDS and Bandwidth Michael Allgeier (Jul 17)
- Re: IDS and Bandwidth Tony Rall (Jul 05)