IDS mailing list archives
RE: IDS evaluations procedures
From: "Nathan Davidson" <ndavidso () globix com>
Date: Wed, 13 Jul 2005 12:49:22 -0400
If by "real" you mean standard Internet noise (port scans etc) then I would say very approximately 6 events per minute, based on what I see on our many Internet firewalls. This is of course a function of the size of the IP subnet on that link. E.g. a class C gets a lot less malicious packets than a class B because it has 1/255th of the IPs. Also if the subnet contains say amazon.com it is going to be much more attractive and therefore you will see many more probes. Without knowing how much legitimate bandwidth you are sending I couldn't say what the ratio is. But for a typical website with 10Mb/s of legitimate traffic it is a fraction of a % I guess you need to think about the maximum performance of your solution and therefore you should err on the side of caution and go for a heavy amount of attack traffic e.g. 5% or more. -----Original Message----- From: Joel Esler [mailto:eslerj () gmail com] Sent: 12 July 2005 15:48 To: david.sames () sparta com Cc: focus-ids () securityfocus com Subject: Re: IDS evaluations procedures depends on the bandwidth of the network. On 12 Jul 2005 02:40:18 -0000, david.sames () sparta com <david.sames () sparta com> wrote:
I'm in the process of developing test procedures for evaluating an
internal anomaly-based detection system. I'd like to construct a test set of nominal data peppered with attack data. What is a reasonable ratio of attack data to "normal" traffic that is representative of "real" systems.
Thanks, Dave
------------------------------------------------------------------------ --
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------ --
------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS evaluations procedures david . sames (Jul 12)
- Re: IDS evaluations procedures Joel Esler (Jul 13)
- Re: IDS evaluations procedures Fergus Brooks (Jul 15)
- Re: IDS evaluations procedures Whodini (Jul 15)
- <Possible follow-ups>
- RE: IDS evaluations procedures THolman (Jul 13)
- RE: IDS evaluations procedures THolman (Jul 13)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- Re: IDS evaluations procedures Justin . Ross (Jul 17)
- RE: IDS evaluations procedures Omar Herrera (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 15)
- RE: IDS evaluations procedures Sames, David (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 17)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)