RE: on NIDS/NIPS tuning
From: Joshua Berry (jberry_at_PENSON.COM)
Date: 06/09/05
- Previous message: Anton A. Chuvakin: "on NIDS/NIPS tuning"
- Maybe in reply to: Anton A. Chuvakin: "on NIDS/NIPS tuning"
- Next in thread: Bob Huber: "Re: on NIDS/NIPS tuning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 9 Jun 2005 15:41:29 -0500 To: <focus-ids@securityfocus.com>
I tune my IDS sensors for rules that are giving me too many
false-positives, and for any vulnerability or security threat that isn't
addressed with the current rule-set. I try to go over my rule-set and
configuration every couple of months.
Other than that, I have written a script that I can context.pl that
imports data from nessus scans and p0f profiles (data from these tools
are imported into a database by some custom scripts) and uses that
information to configure some of the variables and rules to attempt to
provide context for the system. It is somewhat of a hacked together
"poor-mans" attempt at RNA.
-----Original Message-----
From: Anton A. Chuvakin [mailto:anton@chuvakin.org]
Sent: Thursday, June 09, 2005 12:01 PM
To: focus-ids@securityfocus.com
Subject: on NIDS/NIPS tuning
All,
I was thinking about some issues with IDS alerts (their volume, etc) and
realized I could use some help from the list. It might also be a fun
discussion item.
So, here it is: how many folks who buy/download a NIDS/NIPS actually
tune
it? Long time ago when I was asking this question the previous time, I
was
scared to learn that lots of people do not tune their NIDSs. Is it any
better now?
Best,
--
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.info-secure.org
http://www.securitywarrior.com
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: Anton A. Chuvakin: "on NIDS/NIPS tuning"
- Maybe in reply to: Anton A. Chuvakin: "on NIDS/NIPS tuning"
- Next in thread: Bob Huber: "Re: on NIDS/NIPS tuning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
