I have enabled the dropped packet notification on my NS V7.0 and one of the sensors is reporting that is dropping a number of packets. Could this be for the same reason as described below?
regards Jeff Ames ----- Original Message ----- From: "Robert Graham" <[EMAIL PROTECTED]> To: "Johnson, Scott" <[EMAIL PROTECTED]>; "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Sent: Monday, January 05, 2004 8:32 AM Subject: Re: [ISSForum] network sensor 7 performance > Unless something is drastically wrong, the sensor generally doesn't drop > packets. Remember that RealSecure version 7.0 is roughly 10 times faster than > RealSecure version 6.0, therefore, whereas v6 customers worried about packet > loss, v7 customers generally don't. > > By far the best way to monitor the situation is the event "SensorStatistics". > If enabled in the policy, it will trigger every 15-minutes, and include a > number of interesting numbers in the "event details" portion. One of the most > important numbers counts the number of TCP "acknowledgements" for data that the > sensor didn't see. (In other words, the machine's on either end saw the data, > but the network sensor didn't). This will tell you when the sensor drops > packets, as well as when packets are being dropped before they reach the > sensor. A lot of customers have used this number to figure out that their > switch's monitor port was dropping occasional packets. > > The sensor itself can tell you when it thinks it has dropped a packet with the > "SensorError" events, but I think "SensorStatistics" is better. > > Note that you should never run an IDS under the condition where a certain > percentage of packets is being dropped. An IDS is either dropping packets, or > it isn't. Even a small number of dropped packets can lead to high numbers of > false-positives and false-negatives. Part of the installation procedure is to > make sure it is installed in such a way that it isn't dropping packets. In > other words, the SensorStatistic value of "tcp.nodataacks" should be always > zero. > > Robert Graham > Chief Scientist, ISS > > --- "Johnson, Scott" <[EMAIL PROTECTED]> wrote: > > How can I monitor the network sensor for bandwidth allocation and what > > percentage of packets are being dropped? > > > > Scott Johnson, CISSP, GSEC > > ERCOT Cyber Security > > Office 512-248-3152 > > Cell 512-917-9844 > > > > > ===== > Robert Graham > play[http://www.robertgraham.com] work[http://iss.net] > "Security is mostly a superstition, it does not exist in nature" -- H. Keller > > __________________________________ > Do you Yahoo!? > Find out what made the Top Yahoo! Searches of 2003 > http://search.yahoo.com/top2003 > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo > _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
