I have enabled the dropped packet notification on my NS V7.0 and one of the sensors is reporting that is dropping a number of packets. Could the reason below be an explanation?
regards Jeff Ames ----- Original Message ----- From: "Jeanne" <[EMAIL PROTECTED]> To: "Robert Graham" <[EMAIL PROTECTED]> Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Sent: Monday, January 05, 2004 9:03 PM Subject: Re: [ISSForum] network sensor 7 performance > Robert, Thanks for a great explanation. I am also looking to see if my > sensor is dropping packets of not. > > I use RealSecure Network Sensors V. 7. > > Where do I change the configuration for > > SensorStatistics and > SensorError > > > Where do > > Robert Graham wrote: > > >Unless something is drastically wrong, the sensor generally doesn't drop > >packets. Remember that RealSecure version 7.0 is roughly 10 times faster than > >RealSecure version 6.0, therefore, whereas v6 customers worried about packet > >loss, v7 customers generally don't. > > > >By far the best way to monitor the situation is the event "SensorStatistics". > >If enabled in the policy, it will trigger every 15-minutes, and include a > >number of interesting numbers in the "event details" portion. One of the most > >important numbers counts the number of TCP "acknowledgements" for data that the > >sensor didn't see. (In other words, the machine's on either end saw the data, > >but the network sensor didn't). This will tell you when the sensor drops > >packets, as well as when packets are being dropped before they reach the > >sensor. A lot of customers have used this number to figure out that their > >switch's monitor port was dropping occasional packets. > > > >The sensor itself can tell you when it thinks it has dropped a packet with the > >"SensorError" events, but I think "SensorStatistics" is better. > > > >Note that you should never run an IDS under the condition where a certain > >percentage of packets is being dropped. An IDS is either dropping packets, or > >it isn't. Even a small number of dropped packets can lead to high numbers of > >false-positives and false-negatives. Part of the installation procedure is to > >make sure it is installed in such a way that it isn't dropping packets. In > >other words, the SensorStatistic value of "tcp.nodataacks" should be always > >zero. > > > >Robert Graham > >Chief Scientist, ISS > > > >--- "Johnson, Scott" <[EMAIL PROTECTED]> wrote: > > > > > >>How can I monitor the network sensor for bandwidth allocation and what > >>percentage of packets are being dropped? > >> > >>Scott Johnson, CISSP, GSEC > >>ERCOT Cyber Security > >>Office 512-248-3152 > >>Cell 512-917-9844 > >> > >> > >> > > > > > >===== > >Robert Graham > >play[http://www.robertgraham.com] work[http://iss.net] > >"Security is mostly a superstition, it does not exist in nature" -- H. Keller > > > >__________________________________ > >Do you Yahoo!? > >Find out what made the Top Yahoo! Searches of 2003 > >http://search.yahoo.com/top2003 > >_______________________________________________ > >ISSForum mailing list > >[EMAIL PROTECTED] > > > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo > > > > > > > > > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo > _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
