[Bro] IDS newbie. Question on security Vs performance

sudhakar govindavajhala sudhakarg79spam at gmail.com
Mon Dec 4 04:50:58 PST 2006

Hi all,

I am a post-doc at Princeton.   I am new to Bro/IDS systems and am pondering
on fuure research ideas.   I am thinking of researching Bro, Snort and other
intrusion detection systems. I am a bit new to intrusion detection stuff.
Do IDS systems in general have a parameter that can be used to tune security
versus performance?

Intrusion detection systems easily observe millions of packets a second.
Given this voluminous data, the performance per packet could have signicant
impact on the performance of the network. Also, system administrators can
easily get overwhelmed with the false positives even if the rate is small.
Do intrusion detection systems have an .alert level that decides how
aggressively to look for attacks. When in a heightened state of alert, cyber
security managers could change the alert level so that the  intrusion
detection system tries to look more closely at packets to make a more
informed decision.

Does this idea of alert level make any sense?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061204/e47ba980/attachment.html 

More information about the Bro mailing list