 |
|
Snort 1.8.1
|
IDS Test 1 � Attack Recognition |
Attacks |
Detected |
|
Port scans |
5 |
5 |
|
Denial of Service� |
20 |
12 |
|
DDOS/Trojan |
6 |
6 |
|
Web |
12 |
9 |
|
FTP |
7 |
2 |
|
SMTP |
4 |
2 |
|
POP3 |
2 |
0 |
|
ICMP |
2 |
2 |
|
Finger |
8 |
6 |
|
Total |
66 |
452 |
�
|
IDS Test 2 - Performance Under Load |
0% |
25% |
50% |
75% |
100% |
|
Small (64 byte) packet test (max 148,000pps) |
100% |
100% |
88% |
51% |
41% |
|
�Real world� packet test (max 57,000pps) |
100% |
100% |
100% |
100% |
100% |
|
Large (1514 byte) packet test (max 8176pps) |
100% |
100% |
100% |
100% |
100% |
�
|
IDS Test 3 - IDS Evasion Techniques |
Attacks |
Detected |
|
Fragrouter |
8 |
8 |
|
Whisker� |
7 |
7 |
|
Total |
15 |
15 |
�
|
IDS Test 4 - Stateful Operation |
Attacks |
Vulnerable? |
|
Stick |
1 |
Yes1 |
|
Snot� |
1 |
Yes1 |
�
|
Notes: 1.�� Snort only provides stateful reassembly of TCP traffic, leaving it vulnerable to UDP and ICMP Snot/Stick attacks 2.���The attack recognition results were with the default rule set as downloaded from snort.org. Those conversant with writing Snort rules would no doubt be capable of increasing this level of performance. � In terms of performance, Snort surpassed all our expectations of a �free� product. Attack recognition out of the box was acceptable, and is not too difficult to improve by some judicious rule editing. It proved resistant to all our IDS evasion techniques, and partially resistant to tools such as Stick and Snot. The current version of Snort includes stateful stream reassembly for TCP traffic only, which meant that we could still cause problems via the UDP and ICMP protocols. It turned in a passable performance in the small packet tests, but astounded us by demonstrating 100 percent detection rates across the board in our �real world� tests. On a test platform similar to ours, therefore (Pentium III 1GHz, 768MB RAM, Intel network card, FreeBSD 4.4) Snort 1.8.1 would clearly be capable of supporting a normal-to-heavily loaded corporate network. Note, however, that it is worth spending some time fine tuning the platform and operating system on which Snort is installed. As an example, here are the results we obtained running the same version of Snort on identical hardware, but under Red Hat Linux with the default Red Hat Intel drivers:
As you can see, FreeBSD provides much higher performance. We suspect that the official Intel drivers supplied with the network card would also make a difference, although we were unable to verify this in the time available. Click here
to return to the Snort 1.8.1 Review |
Send mail to [email protected] with
|