[Moderator FWD] Re: BlackICE IDS

[justin.lister () csfb com (Lister, Justin)]

Received: from feynman.hiverworld.com (nostromo.org [209.133.51.250] (may be
forged))
        by wyrm.its.uow.edu.au (8.9.1a/8.9.3) with ESMTP id GAA26403
        for <ids () uow edu au>; Tue, 7 Dec 1999 06:09:24 +1100 (EST)
Received: from hiverworld.com (roesch.hiverworld.com [168.143.62.34])
        by feynman.hiverworld.com (8.9.3/8.9.1) with ESMTP id LAA41722
        for <ids () uow edu au>; Mon, 6 Dec 1999 11:08:36 -0800 (PST)
Sender: root () feynman hiverworld com
Message-ID: <384C0C41.551DAA15 () hiverworld com>
Date: Mon, 06 Dec 1999 14:19:29 -0500
From: Martin Roesch <roesch () hiverworld com>
X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.2.12-20 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: ids list <ids () uow edu au>
Subject: Re: IDS: BlackICE IDS
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

[I tried sending this mail yesterday, but it hasn't shown up on the list
for unknown reasons.  Apologies if it shows up twice.]

Robert Graham wrote:
> You can run the "blackd.exe" program directly from tracefiles. The
blackice
> daemon that is the executable for all the products, so you can use the $40
> Defender (home-user) version from our website. Simple do "blackd -r
> snort-1.log" (where "snort-1.log" is the uncompressed tracefile from your
> website). Unfortunately, figuring out the performance info from this is
> problematic because:
> 1. it'll take longer to initialize and shutdown than read the files;
they're
> only about 150-megabytes in size.
> 2. unless you have a high-speed DMA RAID system, disk speed will be the
> dominating factor

A better solution is to use Dug Song's tcpreplay to retransmit the
packet traffic files directly onto the network at a selectable speed, so
that you get a "Real World" test of the performance while reading data
through the NIC.

> 3. the files contain almost pure attacks, which means your testing
eventlogging
> speed more than packet capture / analysis speed. (Interesting by itself,
but
> not the point).

Isn't this *exactly* the point?  If your IDS takes a massive performance
hit when it has to actually perform its primary function, this is
probably the most imporatant thing of all to test!  If it can be flooded
out due to inefficiencies of the event generation mechanism by massive
multiple simultaneous attacks, this would be a key testing point in my
mind.  If your IDS is goes blind when it gets into its most important
performance regime, that's noteworthy! (I'm not saying yours does, but I
think this is certainly a valid performance test of a NIDS.  I test
Snort's performance by running my 100Mbps network with ~80Mbps of
"noise" traffic and multiple simultaneous attacks, then guage how many
of the attacks it saw and what the reported packet loss was, for
example.)

--
Martin Roesch                      <roesch () hiverworld com>
Senior Software Engineer         http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment

END

This message is for the named person's use only.  It may contain
confidential, proprietary or legally privileged information.  No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender.  You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient. CREDIT SUISSE GROUP, CREDIT SUISSE FIRST BOSTON, and each of
their subsidiaries each reserve  the right to monitor all e-mail 
communications through its networks.  Any views expressed in this message
are those of the individual sender, except where the message states 
otherwise and the sender is authorised to state them to be the views of 
any such entity.
.