Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] An OK percentage of Dropped Packets?

from [Wes Young] Network Security [Permanent Link]
Subject: Re: [Snort-users] An OK percentage of Dropped Packets?
Date: Mon, 27 Dec 2004 14:44:14 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.endace.com/networkMCards.htm

Matt Kettler wrote:
| At 12:08 PM 12/27/2004, snort@airedalez.net wrote:
|
|> I am just trying to figure out what an OK number of dropped packets are.
|
|
| OK is pretty much relative to your own level of risk... For me, OK is
| zero packets dropped, and any dropped packets are a problem.
|
| Any dropped packet *could* be a missed attack.
|
| If you're dropping packets on heavy load that an outside can influence,
| then all an attacker needs to do to increase their chances of sneaking
| past your IDS is hammer your website with a lot of traffic and sneak an
| attack in, hoping it's dropped in the storm of other packets.
|
| However, if the only time the link gets sufficiently loaded to drop
| packets is when some internal servers do a rsync, well, that might not
| be so bad unless an attacker knows when the rsync runs.
|
| You really need to weigh several things together: 1) what causes packet
| drops 2) how can they be controlled or predicted by outsiders, 3) your
| resource budget, and weigh those against 4) your level of risk.
|
|> I am running this on a 3.0 Ghz machine.
|
|
| Yeah, but what kind of NIC? Is it a Realtek 8129 based 10/100 card
| (slow, and likely to cause packet drops on ANY machine) or something else?
|
| Are you using a standard libpcap, or Phil Wood's improved version with
| ring buffers?
|
| What kind of logging are you doing? Text, pcap, database? These affect
| snort's processing speed, thus it's drop rate. If snort has to do a
| text-mode hex dump of a packet to a logfile, that's a lot slower than
| just dumping the raw binary to a file or database.
|
|> I doubt the network is saturating the monitoring port.
|
|
| Saturation doesn't really much matter here. Usually when people measure
| what percentage of a link is being utilized, it's an average over some
| period of time, 5 seconds, a minute, whatever. This is a measure of
| overall usage, but it's not a measure of how fast packets can come in.
|
| What matters most to snort is not what percentage of the link is used,
| but what the minimum time between packets is. If you're using Phil's
| version, it's how fast N+1 packets can come in, where N is the size of
| the ring buffer.
|
| There are other factors, like what rules get fired, and packet size has
| some impact too , but at the simplest level, snort's drop-rate
| performance is most closely tied to instantaneous packets-per-second
| rate, not to percentage of link used.
|
|
|
|
|
|
|
|
| -------------------------------------------------------
| SF email is sponsored by - The IT Product Guide
| Read honest & candid reviews on hundreds of IT Products from real users.
| Discover which products truly live up to the hype. Start reading now.
| http://productguide.itmanagersjournal.com/
| _______________________________________________
| Snort-users mailing list
| Snort-users@lists.sourceforge.net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users
|
|

- --
Wes Young
Network Security Analyst
University at Buffalo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFB0GYOzLe0Tk6uDXYRAuaGAKCmC+78SgbZSt2CeQGAieDLXuEfLQCghk9u
YBwZQvUu4YXa/rrIP0MUDos=
=b0x0
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] An OK percentage of Dropped Packets?, Matt Kettler
Next by Date:  Re: [Snort-users] An OK percentage of Dropped Packets?, snort
Previous by Thread:  Re: [Snort-users] An OK percentage of Dropped Packets?, Matt Kettler
Next by Thread:  Re: [Snort-users] An OK percentage of Dropped Packets?, snort
Indexes:  [Date] [Thread] [Top] [All Lists]