Re: on NIDS/NIPS tuning

From: Jason Falciola (falciola_at_us.ibm.com)
Date: 06/10/05

  • Next message: Ramon Kagan: "Re: on NIDS/NIPS tuning" 
    To: "Anton A. Chuvakin" <anton@chuvakin.org>
Date: Fri, 10 Jun 2005 08:07:52 -0400

    OnThursday, June 09, 2005 at 4:37 PM, "Anton A. Chuvakin"
    <anton@chuvakin.org> wrote:

    ] So, here it is: how many folks who buy/download a NIDS/NIPS actually tune
    ] it? Long time ago when I was asking this question the previous time, I
    was
    ] scared to learn that lots of people do not tune their NIDSs. Is it any
    ] better now?

    Hi Anton,

    We certainly *do* tune our IDS devices (whether IDS/IPS of the network,
    host, or wireless variety), and have been doing so since day one. The
    volume of false positives would make it impossible for us to operate
    otherwise.

    We make many modifications to the vendors' defaults (based on years of
    research, experience, and testing) and also tune on a per client basis,
    with a very high level of granularity in our filters.

    One observation here that applies across the board, whether or not you're
    operating as a MSSP: communication with all teams involved and an intimate
    understanding of the networks/hosts in question is critical to appropriate
    IDS tuning.

    Jason Falciola
    Security Intelligence Analyst
    IBM Managed Security Services
    falciola@us.ibm.com

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Ramon Kagan: "Re: on NIDS/NIPS tuning"

    Relevant Pages

    • RE: on NIDS/NIPS tuning
      ... I'd suggest that IDStuning is still essential. ... Where to tune is a very good question and not easily answered. ... try to tune on the sensor first and on the SIM second. ... If you tune what appears to be noise at the IDS, ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... But when the SIM tool is thrown into the mix, ... the question becomes where to tune. ... If you tune what appears to be noise at the IDS, ... tuning out known FP's at the IDS should create a higher ...
      (Focus-IDS)
    • Re: on NIDS/NIPS tuning
      ... I know that, in my experience, many orgs don't tune at all. ... I tune sigs and also tailor the sig sets to the devices being ... If I am alerted to an event by an IDS, ... a filter should result, ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... I'm seeing many organizations now tuning not on the IDS, ... product they're using for monitoring them. ... I was scared to learn that lots of people do not tune their ...
      (Focus-IDS)
    • Re: IDS and NMS
      ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
      (Focus-IDS)