IDS test tools and cool gigether device.
cbullard at nortelnetworks.com
Tue May 30 10:33:56 EDT 2000
Cool. I was wondering when someone was going
to actually do this. Because there has been a void
here, I've been thinking about how to do this with
simple commercial gig-ether switches, and, of course,
the ubiquitous BFR (big fxxxxxx router). It may not
be that hard of a problem after all.
> -----Original Message-----
> From: Peter Van Epp [mailto:vanepp at sfu.ca]
> Sent: Friday, May 26, 2000 3:21 PM
> To: argus at lists.andrew.cmu.edu
> Subject: IDS test tools and cool gigether device.
> A couple of interesting things that I have found out
> while arranging
> for evals of a couple of commercial IDS products. First
> www.anzen.com under
> the "research" page has test tools (traffic and attack
> generator code) which
> looks like a good bet. I'm in the process of buying a test
> setup (not only
> for argus, but it will certainly do that) and will install
> this stuff on there
> and play.
> As well when I was asking for a quote on NFR with the
> future move to
> Gigether they pointed me at this lovely box (this harks back
> to our earlier
> discussion about how we IDS a Gigether link on PC class
> machines). This should
> do the trick by splitting the stream in to manageable chunks
> in 100baseT
> ports (assuming of course your traffic mix allows that).
> > NFR is currently working on adding hardware support for
> Gigabit. The
> > problem though is the ability of the software to keep up.
> The solution NFR
> > is recommending is to use a device made by a company called
> > Toplayer produces the Appswitch which provides you with the
> ability to
> > switch traffic at the application level. This give you the
> ability to
> > programmatically direct HTTP, FTP, SMTP, etc... to
> different ports on the
> > switch, where the traffic can subsequently be monitored by multiple
> > sensors. This allows you to break down a larger stream
> into smaller more
> > manageable streams. It addition, you get an added
> performance boost in
> > that each sensor is now only required to run a smaller
> subset of N-code.
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the argus