[Bro] IDS newbie. Question on security Vs performance
Vern Paxson
vern at icir.org
Mon Dec 11 16:02:32 PST 2006
> Do IDS systems in general have a parameter that can be used to tune security
> versus performance?
Not a single knob, but a whole suite of tuning possibilities. One large
instance is deciding which signatures (of perhaps thousands) and other
forms of analysis you want to turn on, and for what subset of the packet
stream.
> Intrusion detection systems easily observe millions of packets a second.
I don't know about "easily". For example, UC Berkeley, which has about
50K hosts, averages less than a 10th of that across its border.
> Given this voluminous data, the performance per packet could have signicant
> impact on the performance of the network. Also, system administrators can
> easily get overwhelmed with the false positives even if the rate is small.
Yep.
> Do intrusion detection systems have an .alert level that decides how
> aggressively to look for attacks. When in a heightened state of alert, cyber
> security managers could change the alert level so that the intrusion
> detection system tries to look more closely at packets to make a more
> informed decision.
>
> Does this idea of alert level make any sense?
Per the above, the space is much broader than a single alert level.
This makes tuning and adaptation quite complex.
Vern
More information about the Bro
mailing list