[Bro] IDS newbie. Question on security Vs performance

Vern Paxson vern at icir.org
Mon Dec 11 16:02:32 PST 2006

> Do IDS systems in general have a parameter that can be used to tune security
> versus performance?

Not a single knob, but a whole suite of tuning possibilities.  One large
instance is deciding which signatures (of perhaps thousands) and other
forms of analysis you want to turn on, and for what subset of the packet

> Intrusion detection systems easily observe millions of packets a second.

I don't know about "easily".  For example, UC Berkeley, which has about
50K hosts, averages less than a 10th of that across its border.

> Given this voluminous data, the performance per packet could have signicant
> impact on the performance of the network. Also, system administrators can
> easily get overwhelmed with the false positives even if the rate is small.


> Do intrusion detection systems have an .alert level that decides how
> aggressively to look for attacks. When in a heightened state of alert, cyber
> security managers could change the alert level so that the  intrusion
> detection system tries to look more closely at packets to make a more
> informed decision.
> Does this idea of alert level make any sense?

Per the above, the space is much broader than a single alert level.
This makes tuning and adaptation quite complex.


More information about the Bro mailing list