[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] network sensor 7 performance



Do you configure this parameter in PAM? If so what are the values to
specify.

Osaro Osagie
Corporate Security
Fidelity Information Services



                                                                                                                                          
                      Robert Graham                                                                                                       
                      <robert_david_graham        To:       "Johnson, Scott" <sjohnson1@xxxxxxxxx>, "issforum@xxxxxxxxxxxxxxxx"           
                      @yahoo.com>                  <issforum@xxxxxxx>                                                                     
                                                  cc:                                                                                     
                      01/05/2004 03:32 AM         Subject:  Re: [ISSForum] network sensor 7 performance                                   
                                                                                                                                          
                                                                                                                                          



Unless something is drastically wrong, the sensor generally doesn't drop
packets. Remember that RealSecure version 7.0 is roughly 10 times faster
than
RealSecure version 6.0, therefore, whereas v6 customers worried about
packet
loss, v7 customers generally don't.

By far the best way to monitor the situation is the event
"SensorStatistics".
If enabled in the policy, it will trigger every 15-minutes, and include a
number of interesting numbers in the "event details" portion. One of the
most
important numbers counts the number of TCP "acknowledgements" for data that
the
sensor didn't see. (In other words, the machine's on either end saw the
data,
but the network sensor didn't). This will tell you when the sensor drops
packets, as well as when packets are being dropped before they reach the
sensor. A lot of customers have used this number to figure out that their
switch's monitor port was dropping occasional packets.

The sensor itself can tell you when it thinks it has dropped a packet with
the
"SensorError" events, but I think "SensorStatistics" is better.

Note that you should never run an IDS under the condition where a certain
percentage of packets is being dropped. An IDS is either dropping packets,
or
it isn't. Even a small number of dropped packets can lead to high numbers
of
false-positives and false-negatives. Part of the installation procedure is
to
make sure it is installed in such a way that it isn't dropping packets. In
other words, the SensorStatistic value of "tcp.nodataacks" should be always
zero.

Robert Graham
Chief Scientist, ISS

--- "Johnson, Scott" <sjohnson1@xxxxxxxxx> wrote:
> How can I monitor the network sensor for bandwidth allocation and what
> percentage of packets are being dropped?
>
> Scott Johnson, CISSP, GSEC
> ERCOT  Cyber Security
> Office  512-248-3152
> Cell     512-917-9844
>


=====
Robert Graham
play[http://www.robertgraham.com]    work[http://iss.net]
"Security is mostly a superstition, it does not exist in nature" -- H.
Keller

__________________________________
Do you Yahoo!?
Find out what made the Top Yahoo! Searches of 2003
http://search.yahoo.com/top2003
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo




_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo