[Bro] Test Set question

Christian Kreibich christian at whoop.org
Mon Jul 11 17:19:16 PDT 2005

On Mon, 2005-07-11 at 13:11 -0400, Sames, David wrote:
> Does anyone know what the ratio of “attack traffic” to “normal
> traffic” is in a “representative” network? It’s a pretty open-ended
> question, but I need to construct a (decent) data set for an internal
> evaluation I’m doing. I’d like to make sure (to the extent possible)
> that the attack data isn’t unfairly represented in the set.

I think that really depends on way too many things (size of net, host
population, IP range, background traffic, firewalling, organizational
policies, the aim of your eval, etc) to be answerable in general. Try
asking on SecrurityFocus' focus-ids list instead?

Good luck,

More information about the Bro mailing list