[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] network sensor 7 performance



I have enabled the dropped packet notification on my NS V7.0 and one of the
sensors is reporting that is dropping a number of packets. Could this be for
the same reason as described below?

regards

Jeff Ames

----- Original Message ----- 
From: "Robert Graham" <robert_david_graham@xxxxxxxxx>
To: "Johnson, Scott" <sjohnson1@xxxxxxxxx>; "issforum@xxxxxxxxxxxxxxxx"
<issforum@xxxxxxx>
Sent: Monday, January 05, 2004 8:32 AM
Subject: Re: [ISSForum] network sensor 7 performance


> Unless something is drastically wrong, the sensor generally doesn't drop
> packets. Remember that RealSecure version 7.0 is roughly 10 times faster
than
> RealSecure version 6.0, therefore, whereas v6 customers worried about
packet
> loss, v7 customers generally don't.
>
> By far the best way to monitor the situation is the event
"SensorStatistics".
> If enabled in the policy, it will trigger every 15-minutes, and include a
> number of interesting numbers in the "event details" portion. One of the
most
> important numbers counts the number of TCP "acknowledgements" for data
that the
> sensor didn't see. (In other words, the machine's on either end saw the
data,
> but the network sensor didn't). This will tell you when the sensor drops
> packets, as well as when packets are being dropped before they reach the
> sensor. A lot of customers have used this number to figure out that their
> switch's monitor port was dropping occasional packets.
>
> The sensor itself can tell you when it thinks it has dropped a packet with
the
> "SensorError" events, but I think "SensorStatistics" is better.
>
> Note that you should never run an IDS under the condition where a certain
> percentage of packets is being dropped. An IDS is either dropping packets,
or
> it isn't. Even a small number of dropped packets can lead to high numbers
of
> false-positives and false-negatives. Part of the installation procedure is
to
> make sure it is installed in such a way that it isn't dropping packets. In
> other words, the SensorStatistic value of "tcp.nodataacks" should be
always
> zero.
>
> Robert Graham
> Chief Scientist, ISS
>
> --- "Johnson, Scott" <sjohnson1@xxxxxxxxx> wrote:
> > How can I monitor the network sensor for bandwidth allocation and what
> > percentage of packets are being dropped?
> >
> > Scott Johnson, CISSP, GSEC
> > ERCOT  Cyber Security
> > Office  512-248-3152
> > Cell     512-917-9844
> >
>
>
> =====
> Robert Graham
> play[http://www.robertgraham.com]    work[http://iss.net]
> "Security is mostly a superstition, it does not exist in nature" -- H.
Keller
>
> __________________________________
> Do you Yahoo!?
> Find out what made the Top Yahoo! Searches of 2003
> http://search.yahoo.com/top2003
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
>
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo