Re: on NIDS/NIPS tuning

From: Drew Simonis (simonis_at_myself.com)
Date: 06/10/05

  • Next message: Andrew Plato: "RE: IDS\IPS that can handle one Gig" 
    To: "Anton A. Chuvakin" <anton@chuvakin.org>, focus-ids@securityfocus.com
Date: Fri, 10 Jun 2005 08:02:02 -0500

    >
    > All,
    >
    > I was thinking about some issues with IDS alerts (their volume, etc) and
    > realized I could use some help from the list. It might also be a fun
    > discussion item.
    >
    > So, here it is: how many folks who buy/download a NIDS/NIPS actually tune
    > it? Long time ago when I was asking this question the previous time, I was
    > scared to learn that lots of people do not tune their NIDSs. Is it any
    > better now?
    >

    I know that, in my experience, many orgs don't tune at all. The fear is
    that they might do it wrong and thereby miss some important event. IMO,
    this is a stupid way of thinking, but I bet it isn't as rare as it should
    be.

    In other cases, people do not tune and rely on a correlation engine or MSS
    to filter the events. This is better, but really just moves the tuning to
    a different level.

    Personally, I tune sigs and also tailor the sig sets to the devices being
    monitored. For example, if there are no webservers on a segment, I might
    not be as inclined to use sigs that check for Apache exploits. I've never
    really measured the impact on the system vs. the administrative cost of
    doing this, however, so it is quite possible I am wasting time for a
    negligable benefit.

    On the tuning side, I believe that filters and exclusions should be part
    of the incident response lifecycle. If I am alerted to an event by an IDS,
    I investigate and discover that the event was benign or did not take place,
    a filter should result, and thus be properly documented.

    -Ds 

    -- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Andrew Plato: "RE: IDS\IPS that can handle one Gig"

    Relevant Pages

    • RE: on NIDS/NIPS tuning
      ... I'd suggest that IDStuning is still essential. ... Where to tune is a very good question and not easily answered. ... try to tune on the sensor first and on the SIM second. ... If you tune what appears to be noise at the IDS, ...
      (Focus-IDS)
    • Re: on NIDS/NIPS tuning
      ... A lot of tuning with very tight processes around what should or should ... Tune signature specific variables in the case they can be tuned ... > We spend a considerable amount of time tuning our IDS ... > record the most recent time the filter has fired so we ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... But when the SIM tool is thrown into the mix, ... the question becomes where to tune. ... If you tune what appears to be noise at the IDS, ... tuning out known FP's at the IDS should create a higher ...
      (Focus-IDS)
    • Re: on NIDS/NIPS tuning
      ... We certainly *do* tune our IDS devices (whether IDS/IPS of the network, ... IDS tuning. ... Security Intelligence Analyst ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... I'm seeing many organizations now tuning not on the IDS, ... product they're using for monitoring them. ... I was scared to learn that lots of people do not tune their ...
      (Focus-IDS)