Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Antigen forwarded attachment

from [Shashank Rai] Network Security [Permanent Link]
Subject: Re: Antigen forwarded attachment
Date: Sun, 05 Sep 2004 07:44:16 +0400 
Hi Raj,

Even before exploring different h/w configurations i suggest you read
paper by Luca Deri on the limitations of libpcap on linux and
how to fine tune it, using his PF_RING patch:
http://luca.ntop.org/Ring.pdf

More details can be found at http://www.ntop.org/ntop.html.

HTH
-- 
Shashank Rai
------------
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523   Office
    +971-50-6670648  Cell
GPG key:
http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5

On Fri, 2004-09-03 at 10:20, Raj Malhotra wrote:

Hi All,

Based on the good discussion and feedback we had w.r.t our question we
conducted the following experiment:

1) aim was to have some kind of a system that allows us to view the
complete session of an attacker. We used one machine to run "tcpdump"
with "-w" option , one machine to run "snort" and "cisco 512"
connected to the same 100Mbps hub.
2) 4 machines were used to run tcpreplay at 10Mbps (from each
machine), to have an aggregate data rate of 25-30Mbps on the hub.
There were two valid buffer-overflows in the traffic, and both were
for the same vulnerability.
3) The machine configurations were as follows:
      for running snort and tcpdump: 
      100Mbps intel on-board NIC with e100 driver for Linux-RH-9.0
      512 RAM, P4-2.0 MHz , IDE 40GB hard disk at 10,000 RPM
       two 66MHz, 64bit PCI buses
      
Observations:
1) The two IDS were able to trigger an alert for the two attack streams
2) but tcpdump logged only one of them, and the other was logged
partially (packets were dropped)

Questions:
1) was the data rate too high for the particular machine configurations
2) do we need any modifications to the disk and network drivers to
improve the performance
3) is there an issue with regard to the way PCI buses on the
motherboard are associated
with the cards connected to them. (one of the intel motherboard manual
says, the speed of the bus will be equal to the speed of the slowest
card plugged into that bus)

any experiences with regard to the above queries will be appreciated.

Thanks

Raj




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: serial-line protocols, Andy Cuff
Next by Date:  Re: session logging IDS, Andy Cuff
Previous by Thread:  Re: Antigen forwarded attachment, Raj Malhotra
Next by Thread:  RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?), Jose Maria Lopez
Indexes:  [Date] [Thread] [Top] [All Lists]