Being in a high-optempo environment such as I am. I judge 0% to be
acceptable. With a max of about 3%. But I haven't had any packet
loss in over a year. (On a box running a 1.6 GHZ with 256Ms of RAM,
on a rather large circuit.. It has alot to do with rule tuning and
output module as well..)
On 5/23/05, Matt Kettler <mkettler@evi-inc.com> wrote:
Byron Pezan wrote:
What do most of you consider to acceptable packet loss?
I am running snort 2.1 on some fairly low end hardware and have tuned
the box using some suggestions from Mark Kettler in one of his earlier
posts to the list
(http://marc.theaimsgroup.com/?l=snort-users&m=105586643024094&w=2). I
am seeing about 4% packet loss on this sensor during my (un-scientific)
testing. Would you consider that acceptable or should I look into
further tuning?
My name is Matt, not Mark :)
That aside, really what level of packet loss is acceptable depends a lot on
what
your security goals are.
To a person operating a high-threat, high-security network, any packet loss is
completely unacceptable, as it means an attack could be missed. A
sophisticated
attacker may try to intentionally load down the IDS with a bogus alarm that is
likely to be ignored just fractions of a second before the real attack.
If your goals with snort are just to increase your security awareness a bit,
then some packet loss may be acceptable to you.
So, I guess you could boil it down this way:
Are you concerned with detecting sophisticated attackers who try to use noise
to
evade IDS detection. If so, you need 0% loss.
If you aren't concerned with the evasive attacks, what percentage of ordinary
attacks are you willing to accept not knowing about? Your packet loss rate
should definitely be less than this number.
As a rule-of-thumb I might suggest trying to keep your packet loss at less
than
half your accepted miss rate.
I'll admit that "factor of one half" is largely a gut-instinct number and has
no
measured basis. However, it is definitely true that the impact of a packet
loss
can be much greater than missing one packet worth of data when you start
considering that stream4 can get confused about the connection state,
particularly if it misses a syn packet. Weighing that back and forth with how
few packets are syn packets leads me to feel that somewhere between 3/4 and
1/4
would be about the right weighting factor. As this is a very inexact guess I
certainly invite you to think about this yourself and come to your own
conclusions.
-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Joel Esler
BASE Project Lead
http://sourceforge.net/projects/secureideas
-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id�344&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
