Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [Fwd: Re: tippingpoint]

From: "Bob Walder" <bwalder () spamcop net>
Date: Fri, 17 Oct 2003 21:59:43 +0200
Check out our IDS test methodology in our latest reports
(www.nss.co.uk/gigabitids or www.nss.co.uk/ids) for some ideas on how to
approach this type of testing. Unfortunately you need to be prepared to
spend some big bucks to create the sort of lab environment we have here,
but I do know that there are quite a few places that will rent out the
Spirent/Caw equipment now (I am losing track of what they are actually
calling it THIS week ;o)... Way to mess with a good brand name guys!)

FYI - the testing for our first IPS group test is now underway (with
some VERY interesting results already!) - it will be published in
December.

Regards,

Bob Walder
Director
The NSS Group

------------------------------------------------------------------------
----------
This message is intended for the addressee only and may contain
information that may be of a privileged or confidential nature. If you
have received this message in error, please notify the sender and
destroy the message immediately. Unauthorised use or reproduction of
this message is strictly prohibited.




-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf 
Of Josh Berry
Sent: 17 October 2003 19:53
To: Geoff
Cc: snort-users () lists sourceforge net
Subject: Re: [Fwd: Re: [Snort-users] tippingpoint]


What tools did you use to test these concurrent connections? 
 I am currently looking for a good product to test the 
validity of vendors data sheets (in other words when they 
say it handles 100,000 connections per second I want to 
verify that it really does).





Thanks Marc. Not to get to much into tipping point sales 

speak but we 

through 200,000 concurrent connections and about 9,000 session 
establishments per sec at
the box and it did not fall over. The rough numbers we 

generated for

blocking
per sec where 265 packets per sec (dropped and blocks 

written to the

interfaces). Besides a hardware problem with a miniGbic, 

we didn't even

get it
to hiccup much less fall over. The signature detection is 

(hear comes the

sales
speak) all ASIC based. I will leave that for what it is 

because I don't

know
enough to really talk about the benefits of different hardware
architectures.
But it is fast!

Please don't get me wrong. This is not a replacement for 

IDS. Even the 

sales guy from tipping point told me that :). Deep packet 

inspection 

and data correlation
are a slow process and better suited to "off" line number 

crunching (ie.

IDS).

Geoff

Marc Quibell wrote:


Sounds like you have a well thought-out implemetation Geoff. My 
greatest "fear" of IPSes is the fact that placing a 

device in your 

network, towards the "top"
(where all traffic goes thru), a device that has to read 

the entire

contents of
a packet (not just the headers)....ewwww...scary. I 

suppose it's no

different
than a Layer 7 firewall, but I would be more confortable 

going with a

mature and
real-world tested product, like maybe a cisco product. I 

gotta let you

know
though that we're an ISS shop and we're looking at 

Proventia real close!

Currently we use host-based protection, but not on 

everything. I also

use Snort.
Thanks.

Marc







gpoer () arizona edu on 10/16/2003 08:14:03 PM

To:   Marc Quibell/FBFS@FBFS
cc:

Subject:  Re: [Snort-users] tippingpoint



Ok had to respond to this one :)

 > IPS right now is too dangerous to implement. No one in 

their right 

mind would  > risk the network outages caused by vulnerable IPSes.

Their are plenty of companies running IPS and running it 
successfully. Implementation of an IPS requires that you only 
implement signatures that have a VERY low rate of false 

positive or 

traffic that you just flat out don't care if
it gets dropped. For example: In our testing we dropped ICMP
stacheldraht Agent
to Server Hello packets. It is a very easy sig to spot. the word
"skillz" inside an ICMP echo reply packet. Rarely are we 

going to see

that one
in the wild with Business critical traffic. We also 

dropped ICMP Welchia

packets, they consist of an echo request with 64 A's. A 

well known false

positive for that signature is the Yahoo keep alive 

packets for Instant

Messenger. We made the decision that we simply do not 

care about that

traffic.

While I will agree that the Gartner group needs to 

reevaluate their 

system for recommendations concerning technology. (don't just ask 
your customers, try
asking some well established experts) That doesn't mean 

that IPS is the

next
coming of the anti-christ either (martha steward being the 1st).

Geoff



Marc Quibell wrote:




What about it? Who cares what Gartner says? They have no 

idea what  

they're talking about, and the clown who wrote that artcle was 
discredited by  IDS


pros,


when he was forced to confront them. He says IDS is dead 

because it 

was


useless


(too many false alerts [bullcrap, we don't have any], not 

Gigabit  

capable [another lie]), not because HIDS was better. Security in 
layers, this is  what
it's all about. HIDS is good too. But HIDS don't make IDS 

dead! He's in

his
Ivory tower being paid to discredit IDS. Do you really think these
people who
write these criticizms actually use the product? NO! He 

also said IDS

was not


an


auditing tool, but was shot down on that issue too, because it is.

Policy Auditing is what it's used for as well, "How many 

of our users  

are


using


Kazaa?" -or- "Look at all of our users compromising our 

network by 

using GotoMyPc!"

What's really cool is using Crystal Reports with the Snort  
database..YEAH! Do THAT with IPS!

IPS right now is too dangerous to implement. No one in 

their right 

mind  would risk the network outages caused by vulnerable IPSes.

Cheese

Marc


Message: 11
Subject: RE: [Snort-users] tippingpoint
Date: Thu, 16 Oct 2003 10:34:16 -0400
From: "Rich Stryker" <rstryker () virtuallearning net>
To: <snort-users () lists sourceforge net>

Here is a report by the Gartner Group. It says IDS has been a 
complete = failure and the host based IDS systems are the 

way to go 

until the new = generation firewalls come out.

http://techrepublic.com.com/5100-6298-5078279.html




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. 
SourceForge.net hosts over 70,000 Open Source Projects. See the 
people who have HELPED US provide better services: Click here: 
http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users












-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum 

Conference & 

Expo The Event For Linux Datacenter Solutions & Strategies in The 
Enterprise Linux in the Boardroom; in the Front Office; & in the 
Server Room http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users




Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum 
Conference & Expo The Event For Linux Datacenter Solutions & 
Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 

https://lists.sourceforge.net/lists/listinfo/sno>> rt-users



Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: