Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS evaluations procedures

from [Nathan Davidson] Network Security [Permanent Link]
Subject: RE: IDS evaluations procedures
Date: Wed, 13 Jul 2005 12:49:22 -0400 
If by "real" you mean standard Internet noise (port scans etc) then I
would say very approximately 6 events per minute, based on what I see on
our many Internet firewalls. This is of course a function of the size of
the IP subnet on that link. E.g. a class C gets a lot less malicious
packets than a class B because it has 1/255th of the IPs. Also if the
subnet contains say amazon.com it is going to be much more attractive
and therefore you will see many more probes.

Without knowing how much legitimate bandwidth you are sending I couldn't
say what the ratio is. But for a typical website with 10Mb/s of
legitimate traffic it is a fraction of a %

I guess you need to think about the maximum performance of your solution
and therefore you should err on the side of caution and go for a heavy
amount of attack traffic e.g. 5% or more. 



-----Original Message-----
From: Joel Esler [mailto:eslerj@gmail.com] 
Sent: 12 July 2005 15:48
To: david.sames@sparta.com
Cc: focus-ids@securityfocus.com
Subject: Re: IDS evaluations procedures

depends on the bandwidth of the network.

On 12 Jul 2005 02:40:18 -0000, david.sames@sparta.com
<david.sames@sparta.com> wrote:

I'm in the process of developing test procedures for evaluating an

internal anomaly-based detection system. I'd like to construct a test
set of nominal data peppered with attack data. What is a reasonable
ratio of attack data to "normal" traffic that is representative of
"real" systems.


Thanks,

Dave



------------------------------------------------------------------------
--

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.


------------------------------------------------------------------------
--





------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS and Bandwidth, THolman
Next by Date:  RE: IDS and Bandwidth, Nathan Davidson
Previous by Thread:  RE: IDS evaluations procedures, Omar Herrera
Next by Thread:  RE: IDS evaluations procedures, Sames, David
Indexes:  [Date] [Thread] [Top] [All Lists]