[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] network sensor 7 performance



I have enabled the dropped packet notification on my NS V7.0 and one of the
sensors is reporting that is dropping a number of packets. Could the reason
below be an explanation?

regards

Jeff Ames

----- Original Message ----- 
From: "Jeanne" <jhunt1@xxxxxxxxxxxxxxxx>
To: "Robert Graham" <robert_david_graham@xxxxxxxxx>
Cc: "issforum@xxxxxxxxxxxxxxxx" <issforum@xxxxxxx>
Sent: Monday, January 05, 2004 9:03 PM
Subject: Re: [ISSForum] network sensor 7 performance


> Robert, Thanks for a great explanation.  I am also looking to see if my
> sensor is dropping packets of not.
>
> I use RealSecure Network Sensors V. 7.
>
> Where do I change the configuration for
>
> SensorStatistics and
> SensorError
>
>
> Where do
>
> Robert Graham wrote:
>
> >Unless something is drastically wrong, the sensor generally doesn't drop
> >packets. Remember that RealSecure version 7.0 is roughly 10 times faster
than
> >RealSecure version 6.0, therefore, whereas v6 customers worried about
packet
> >loss, v7 customers generally don't.
> >
> >By far the best way to monitor the situation is the event
"SensorStatistics".
> >If enabled in the policy, it will trigger every 15-minutes, and include a
> >number of interesting numbers in the "event details" portion. One of the
most
> >important numbers counts the number of TCP "acknowledgements" for data
that the
> >sensor didn't see. (In other words, the machine's on either end saw the
data,
> >but the network sensor didn't). This will tell you when the sensor drops
> >packets, as well as when packets are being dropped before they reach the
> >sensor. A lot of customers have used this number to figure out that their
> >switch's monitor port was dropping occasional packets.
> >
> >The sensor itself can tell you when it thinks it has dropped a packet
with the
> >"SensorError" events, but I think "SensorStatistics" is better.
> >
> >Note that you should never run an IDS under the condition where a certain
> >percentage of packets is being dropped. An IDS is either dropping
packets, or
> >it isn't. Even a small number of dropped packets can lead to high numbers
of
> >false-positives and false-negatives. Part of the installation procedure
is to
> >make sure it is installed in such a way that it isn't dropping packets.
In
> >other words, the SensorStatistic value of "tcp.nodataacks" should be
always
> >zero.
> >
> >Robert Graham
> >Chief Scientist, ISS
> >
> >--- "Johnson, Scott" <sjohnson1@xxxxxxxxx> wrote:
> >
> >
> >>How can I monitor the network sensor for bandwidth allocation and what
> >>percentage of packets are being dropped?
> >>
> >>Scott Johnson, CISSP, GSEC
> >>ERCOT  Cyber Security
> >>Office  512-248-3152
> >>Cell     512-917-9844
> >>
> >>
> >>
> >
> >
> >=====
> >Robert Graham
> >play[http://www.robertgraham.com]    work[http://iss.net]
> >"Security is mostly a superstition, it does not exist in nature" -- H.
Keller
> >
> >__________________________________
> >Do you Yahoo!?
> >Find out what made the Top Yahoo! Searches of 2003
> >http://search.yahoo.com/top2003
> >_______________________________________________
> >ISSForum mailing list
> >ISSForum@xxxxxxx
> >
> >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
> >
> >
> >
> >
>
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
>
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo