Real Traffic (was Re: BlackICE IDS)

[robert_david_graham () yahoo com (Robert Graham)]

--- "Marcus J. Ranum" <mjr () nfr net> wrote:
> Greg Shipley writes:
> > 2. I would encourage anyone who is doing testing to get as close to REAL
> > traffic as possible. 
>
> As a vendor, let me comment that Greg's 100% right!

I agree even more. It's actually more than that. It's not so much "real"
traffic, so much as "your" traffic. The performance of an IDS that you put
outside your firewall to watch HTTP traffic in/out of your webserver is going
to performance differently when you stick it inside the network to look at SMB
traffic between clients/servers. There are some basic per-packet code that is
shared, but the application layer parsing code can get very in-depth, and
therefore account for major percentage of the performance.

Along with this, I should mention that there is sometimes a tradeoff between
speed and accuracy. For example, when RFP released "whisker", he put some
interesting anti-IDS capabilities in it; so we immediately updated BlackICE to
parse around them. QED: something like BlackICE will perform a little slower on
HTTP URL processing than something like 'snort', but on the other hand it is
more "accurate" and harder to evade. (NB: 'snort' is really cool open-source
NIDS that essentially dumps network traffic through a regular expression
parser).

The unfortunate thing is that objective metrics like "packets-second" or
"number of signatures" or similar numbers frequently miss the point. Therefore,
the only real solution is to run the NIDS in your own environment, throw some
attacks onto the wire, and see if it works.

Regards,
Rob.

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com