IDS test tools and cool gigether device.

Carter Bullard cbullard at nortelnetworks.com
Tue May 30 10:33:56 EDT 2000 

Hey Peter,
   Cool.  I was wondering when someone was going
to actually do this.   Because there has been a void
here, I've been thinking about how to do this with
simple commercial gig-ether switches, and, of course,
the ubiquitous BFR (big fxxxxxx router). It may not
be that hard of a problem after all.

Carter



> -----Original Message-----
> From: Peter Van Epp [mailto:vanepp at sfu.ca]
> Sent: Friday, May 26, 2000 3:21 PM
> To: argus at lists.andrew.cmu.edu
> Subject: IDS test tools and cool gigether device.
> 
> 
> 	A couple of interesting things that I have found out 
> while arranging
> for evals of a couple of commercial IDS products. First 
> www.anzen.com under
> the "research" page has test tools (traffic and attack 
> generator code) which
> looks like a good bet. I'm in the process of buying a test 
> setup (not only
> for argus, but it will certainly do that) and will install 
> this stuff on there
> and play.
> 
> http://ww.anzen.com/research/nidsbench/
> 
> 	As well when I was asking for a quote on NFR with the 
> future move to
> Gigether they pointed me at this lovely box (this harks back 
> to our earlier
> discussion about how we IDS a Gigether link on PC class 
> machines). This should
> do the trick by splitting the stream in to manageable chunks 
> in 100baseT
> ports (assuming of course your traffic mix allows that).
> 
> 
> > NFR is currently working on adding hardware support for 
> Gigabit.  The 
> > problem though is the ability of the software to keep up.  
> The solution NFR 
> > is recommending is to use a device made by a company called 
> Toplayer.
> > 
> > Toplayer produces the Appswitch which provides you with the 
> ability to 
> > switch traffic at the application level.  This give you the 
> ability to 
> > programmatically direct HTTP, FTP, SMTP, etc... to 
> different ports on the 
> > switch, where the traffic can subsequently be monitored by multiple 
> > sensors.  This allows you to break down a larger stream 
> into smaller more 
> > manageable streams.  It addition, you get an added 
> performance boost in 
> > that each sensor is now only required to run a smaller 
> subset of N-code.
> >
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000530/af17a64f/attachment.html>

More information about the argus mailing list