Re: on NIDS/NIPS tuning

From: Bob Huber (roberthuberjr_at_yahoo.com)
Date: 06/10/05

  • Next message: Jason Falciola: "Re: on NIDS/NIPS tuning" 
    Date: Thu, 9 Jun 2005 17:21:58 -0700 (PDT)
To: "Anton A. Chuvakin" <anton@chuvakin.org>, focus-ids@securityfocus.com

    We spend a considerable amount of time tuning our IDS
    (100+). It allows us to quickly focus on 'meatier'
    events. Having quite a few IDS, with many on the
    internal network, most of the tuning is for normal
    network traffic, SNMP, ICMP, DNS, SMTP etc.. Our
    tuning is fairly fine-grained, by protocol, by src/dst
    ip or src and dst net. We lock it down as best we
    can. And since we are audited, we also comment all of
    the filtering we perform. The downside, and something
    I would like to see the IDS/IPS vendors add into their
    functionality, time stamp the filter entries and
    record the most recent time the filter has fired so we
    can remove the filter if it is no longer in use.

    I've spoken with quite a few organizations myself that
    just turn IDS on and forget about it. I'm sure some
    folks even use SIM as a crutch in this instance, using
    it to reduce events..Shame..But only so many people
    like running tcpdump and going through packet captures
    I guess, others just look for the blinking red lights.

    A side benefit to tuning, you learn your network
    pretty well which helps when things get hairy.

    Bob
    --- "Anton A. Chuvakin" <anton@chuvakin.org> wrote:

    > All,
    >
    > I was thinking about some issues with IDS alerts
    > (their volume, etc) and
    > realized I could use some help from the list. It
    > might also be a fun
    > discussion item.
    >
    > So, here it is: how many folks who buy/download a
    > NIDS/NIPS actually tune
    > it? Long time ago when I was asking this question
    > the previous time, I was
    > scared to learn that lots of people do not tune
    > their NIDSs. Is it any
    > better now?
    >
    > Best,
    > --
    > Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA

                    
    __________________________________
    Discover Yahoo!
    Find restaurants, movies, travel and more fun for the weekend. Check it out!
    http://discover.yahoo.com/weekend.html

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Jason Falciola: "Re: on NIDS/NIPS tuning"

    Relevant Pages

    • Re: on NIDS/NIPS tuning
      ... A lot of tuning with very tight processes around what should or should ... Tune signature specific variables in the case they can be tuned ... > We spend a considerable amount of time tuning our IDS ... > record the most recent time the filter has fired so we ...
      (Focus-IDS)
    • Re: Crossover Error Rate (WAS "Intrusion Prevention")
      ... against any given sample of traffic an IDS can be adjusted to have ... perfect behavior --- no false positives, ... The problem is that the tuning needs to be done again for the next ... is only meaningful and reproduceable against a single packet flow. ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... I'd suggest that IDStuning is still essential. ... Where to tune is a very good question and not easily answered. ... try to tune on the sensor first and on the SIM second. ... If you tune what appears to be noise at the IDS, ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... Most SIMs should be able to handle serious IDS load if you give ... As for tuning, I never said anything about not tuning, in fact you ... >I am curious to know what SIM product can handle un-tuned IDS ... >attacks from ...
      (Focus-IDS)
    • RE: IDS event filtering
      ... I think there are a few ways to filter; ... at in over a year so not sure if any backend IDS correlation. ... Deprioritize alerts on ... > Find out quickly and easily by testing it with real-world attacks ...
      (Focus-IDS)