Security Consulting
  Unix Administration     Firewall     Intrusion Detection     Network Security     Hacking     MORE     HOME    

CVE

Evaluation Criteria

The following critearias could be helpful when IDSes have to be evaluated. The products which are on the market today are undergoing rapid changes in features and all the evaluations that have been published are more or less out of date. A catalogue of criterias might help to make a decision whether to buy a product or not.
The list ist not at all complete and can certainly be extended!

User Interface

  • Ease of Signature tuning
  • Data presentation

    Sensor Engine

  • Packet drop rate (i.e., throughput)
  • Signature quality (How to measure this criteria is under heavy discussion and not at all an easy issue!)
  • Open signature format (i.e., user can see, change and add signatures)
  • Support of third-party signatures (e.g., snort-signatures)
  • Robustness of engine against evasion techniques.
  • Protocol knowledge (e.g., TCP, HTTP, FTP, SMTP, ...), protocol anomalies are detected?
  • Session support (e.g., IP fragment reassembling, TCP stream reassembling, HTTP session capability, ...)
  • Possiblity to notify if packets are dropped
  • Remote manageability
  • Stability of sensor (no crashes)
  • Number of concurrent sessions it can hold (i.e., IP, TCP and application protocols)
  • Dumping of application layer data
  • Recording of TCP sessions

    Console Capabilites

  • Aggregation (I don't know of any IDS which can do this adequatly nowadays!)
  • Correlation
  • Scalability
  • IDWG support
  • Web-based interface
  • OS support
  • Integration of other sensors
  • Usefulness of reports, variety of reports, presentation of reports
  • Export possibilites for reports
  • Alering mechanisms (email, sms, pager, executing scripts)
  • Reactive mesures (shunning, ...)

    Overall Capabilities

  • Possible interfaces (e.g., syslog, SNMP, OPSEC, CISCO POP, ...)
  • Ease of integration of other event-sources (e.g., Routers, Switches, Firewalls, VPN, OTHER SENSORS, ...)
  • Ease of signature-update on the sensors.
  • Signature update support from vendor (frequency, distrubution channel, ...).
  • Ease of installation and setup


    CopyLeft (l) 2003 by Raffael Marty