Could you please define metrics? It's quite a wide term... Should you look for decision making criteria (technically speaking), my list should include:
1. false negative rate, to see how many real incidents your IDS may miss 2. false positive rate, to see how many "fake" incidents your IDS won't miss 3. security of the IDS itself (well, here come another 10 metrics but won't dig into) 4. handling of encypted traffic (SSL, more precisely) 5. number of supported network segments (either physically or using VLANs) 6. integration/correlation with vulnerability assessment tools (with a unified attack description so that nobody gets confused) 7. custom signatures (e.g. snort-type) and exceptions capability (sometimes things get really bad, so it's a very nice to have) 8. integration with log analysis/correlation systems (call them SIM/SEM, etc.) 9. integration with ticketing systems (an incident may widely affect an organization) 10. automatic responses (or policy-based responses) - not "shunning" 11.reporting (somehow somebody must get nofitied in a language they can understand) Should you turn into IPS, take also into account: x1. number of "trusted" signatures (IBM/ISS-terminology, sorry..) x2. modes of operation (IDS only, transparent, learning mode, hybrid) x3. average time of signature issuance (not easy to estimate) Of course, cost, R&D, vendor stability and coverage, etc. should not be overlooked. Lately, there are a number of IDS/IPS technologies used in firewalls,content security,SSL VPN gateways, etc.If your case is this,the lists above should look somehow different. Hope this helps. Dimitrios Patsos, Ph.D.(Cand.),M.Sc. Security Architect CMA,CME,CCDA,CCSA,CCSE Quoting [EMAIL PROTECTED]: > Could someone help me. I need to create a list of 10 security metrics for a > IDS. > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
