Snort mailing list archives
RE: [Fwd: Re: tippingpoint]
From: "Bob Walder" <bwalder () spamcop net>
Date: Fri, 17 Oct 2003 21:59:43 +0200
Check out our IDS test methodology in our latest reports (www.nss.co.uk/gigabitids or www.nss.co.uk/ids) for some ideas on how to approach this type of testing. Unfortunately you need to be prepared to spend some big bucks to create the sort of lab environment we have here, but I do know that there are quite a few places that will rent out the Spirent/Caw equipment now (I am losing track of what they are actually calling it THIS week ;o)... Way to mess with a good brand name guys!) FYI - the testing for our first IPS group test is now underway (with some VERY interesting results already!) - it will be published in December. Regards, Bob Walder Director The NSS Group ------------------------------------------------------------------------ ---------- This message is intended for the addressee only and may contain information that may be of a privileged or confidential nature. If you have received this message in error, please notify the sender and destroy the message immediately. Unauthorised use or reproduction of this message is strictly prohibited.
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Josh Berry Sent: 17 October 2003 19:53 To: Geoff Cc: snort-users () lists sourceforge net Subject: Re: [Fwd: Re: [Snort-users] tippingpoint] What tools did you use to test these concurrent connections? I am currently looking for a good product to test the validity of vendors data sheets (in other words when they say it handles 100,000 connections per second I want to verify that it really does).Thanks Marc. Not to get to much into tipping point salesspeak but wethrough 200,000 concurrent connections and about 9,000 session establishments per sec at the box and it did not fall over. The rough numbers wegenerated forblocking per sec where 265 packets per sec (dropped and blockswritten to theinterfaces). Besides a hardware problem with a miniGbic,we didn't evenget it to hiccup much less fall over. The signature detection is(hear comes thesales speak) all ASIC based. I will leave that for what it isbecause I don'tknow enough to really talk about the benefits of different hardware architectures. But it is fast! Please don't get me wrong. This is not a replacement forIDS. Even thesales guy from tipping point told me that :). Deep packetinspectionand data correlation are a slow process and better suited to "off" line numbercrunching (ie.IDS). Geoff Marc Quibell wrote:Sounds like you have a well thought-out implemetation Geoff. My greatest "fear" of IPSes is the fact that placing adevice in yournetwork, towards the "top" (where all traffic goes thru), a device that has to readthe entirecontents of a packet (not just the headers)....ewwww...scary. Isuppose it's nodifferent than a Layer 7 firewall, but I would be more confortablegoing with amature and real-world tested product, like maybe a cisco product. Igotta let youknow though that we're an ISS shop and we're looking atProventia real close!Currently we use host-based protection, but not oneverything. I alsouse Snort. Thanks. Marc gpoer () arizona edu on 10/16/2003 08:14:03 PM To: Marc Quibell/FBFS@FBFS cc: Subject: Re: [Snort-users] tippingpoint Ok had to respond to this one :) > IPS right now is too dangerous to implement. No one intheir rightmind would > risk the network outages caused by vulnerable IPSes. Their are plenty of companies running IPS and running it successfully. Implementation of an IPS requires that you only implement signatures that have a VERY low rate of falsepositive ortraffic that you just flat out don't care if it gets dropped. For example: In our testing we dropped ICMP stacheldraht Agent to Server Hello packets. It is a very easy sig to spot. the word "skillz" inside an ICMP echo reply packet. Rarely are wegoing to seethat one in the wild with Business critical traffic. We alsodropped ICMP Welchiapackets, they consist of an echo request with 64 A's. Awell known falsepositive for that signature is the Yahoo keep alivepackets for InstantMessenger. We made the decision that we simply do notcare about thattraffic. While I will agree that the Gartner group needs toreevaluate theirsystem for recommendations concerning technology. (don't just ask your customers, try asking some well established experts) That doesn't meanthat IPS is thenext coming of the anti-christ either (martha steward being the 1st). Geoff Marc Quibell wrote:What about it? Who cares what Gartner says? They have noidea whatthey're talking about, and the clown who wrote that artcle was discredited by IDSpros,when he was forced to confront them. He says IDS is deadbecause itwasuseless(too many false alerts [bullcrap, we don't have any], notGigabitcapable [another lie]), not because HIDS was better. Security in layers, this is what it's all about. HIDS is good too. But HIDS don't make IDSdead! He's inhis Ivory tower being paid to discredit IDS. Do you really think these people who write these criticizms actually use the product? NO! Healso said IDSwas notanauditing tool, but was shot down on that issue too, because it is. Policy Auditing is what it's used for as well, "How manyof our usersareusingKazaa?" -or- "Look at all of our users compromising ournetwork byusing GotoMyPc!" What's really cool is using Crystal Reports with the Snort database..YEAH! Do THAT with IPS! IPS right now is too dangerous to implement. No one intheir rightmind would risk the network outages caused by vulnerable IPSes. Cheese Marc Message: 11 Subject: RE: [Snort-users] tippingpoint Date: Thu, 16 Oct 2003 10:34:16 -0400 From: "Rich Stryker" <rstryker () virtuallearning net> To: <snort-users () lists sourceforge net> Here is a report by the Gartner Group. It says IDS has been a complete = failure and the host based IDS systems are theway to gountil the new = generation firewalls come out. http://techrepublic.com.com/5100-6298-5078279.html ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux ForumConference &Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersThanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/sno>> rt-usersSnort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Fwd: Re: tippingpoint] Geoff (Oct 17)
- Re: [Fwd: Re: tippingpoint] Josh Berry (Oct 17)
- Re: [Fwd: Re: tippingpoint] Geoff (Oct 17)
- Re: [Fwd: Re: tippingpoint] Gary Flynn (Oct 17)
- Re: [Fwd: Re: tippingpoint] Geoff (Oct 17)
- <Possible follow-ups>
- RE: [Fwd: Re: tippingpoint] Bob Walder (Oct 17)
- Re: [Fwd: Re: tippingpoint] Josh Berry (Oct 17)