[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ISSForum] network sensor 7 performance
Do you configure this parameter in PAM? If so what are the values to
Fidelity Information Services
<robert_david_graham To: "Johnson, Scott" <sjohnson1@xxxxxxxxx>, "issforum@xxxxxxxxxxxxxxxx"
01/05/2004 03:32 AM Subject: Re: [ISSForum] network sensor 7 performance
Unless something is drastically wrong, the sensor generally doesn't drop
packets. Remember that RealSecure version 7.0 is roughly 10 times faster
RealSecure version 6.0, therefore, whereas v6 customers worried about
loss, v7 customers generally don't.
By far the best way to monitor the situation is the event
If enabled in the policy, it will trigger every 15-minutes, and include a
number of interesting numbers in the "event details" portion. One of the
important numbers counts the number of TCP "acknowledgements" for data that
sensor didn't see. (In other words, the machine's on either end saw the
but the network sensor didn't). This will tell you when the sensor drops
packets, as well as when packets are being dropped before they reach the
sensor. A lot of customers have used this number to figure out that their
switch's monitor port was dropping occasional packets.
The sensor itself can tell you when it thinks it has dropped a packet with
"SensorError" events, but I think "SensorStatistics" is better.
Note that you should never run an IDS under the condition where a certain
percentage of packets is being dropped. An IDS is either dropping packets,
it isn't. Even a small number of dropped packets can lead to high numbers
false-positives and false-negatives. Part of the installation procedure is
make sure it is installed in such a way that it isn't dropping packets. In
other words, the SensorStatistic value of "tcp.nodataacks" should be always
Chief Scientist, ISS
--- "Johnson, Scott" <sjohnson1@xxxxxxxxx> wrote:
> How can I monitor the network sensor for bandwidth allocation and what
> percentage of packets are being dropped?
> Scott Johnson, CISSP, GSEC
> ERCOT Cyber Security
> Office 512-248-3152
> Cell 512-917-9844
"Security is mostly a superstition, it does not exist in nature" -- H.
Do you Yahoo!?
Find out what made the Top Yahoo! Searches of 2003
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo