IDS mailing list archives
IPS/IDS behavior with ISIC/UDPSIC/TCPSIC/ICMPSIC traffic
From: "Ravi Chunduru" <ravi.is.chunduru () gmail com>
Date: Wed, 30 Apr 2008 08:22:07 -0700
According to NSS testing criteria, the IPS/IDS devices are expected to work normally even during the time *SIC traffic is sent at 60000pkts/sec with each packet size of 690 bytes. I find that inline snort IPS software based PC device stops passing any legitimate traffic when this *SIC traffic is sent at very high speed. As such I also see this problem even if UDPSIC traffic (with random ports) is passed with 50000 pkts/sec. Once the traffic is stopped, it starts working normally. Note that if I use UDPSIC with fixed port, then I don't see the problem of 100% CPU utilization and other traffic passes normally. I am using PC with P4 processor running at 2.8Ghz. Is there any significance to 60000 pkts/sec NSS number? Also, what is the expected behavior of IPS software during this load? Does NSS test with random UDP ports? Or do they use one fixed port while running UDPSIC and TCPSIC? Thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IPS/IDS behavior with ISIC/UDPSIC/TCPSIC/ICMPSIC traffic Ravi Chunduru (Apr 30)