RE: on NIDS/NIPS tuning

From: M. Shirk (shirkdog_list_at_hotmail.com)
Date: 06/10/05

Next message: ian.bamford_at_vigilantminds.com: "Re: RE: IDS\IPS that can handle one Gig"

Previous message: Andrew Plato: "RE: IDS\IPS that can handle one Gig"
Maybe in reply to: Anton A. Chuvakin: "on NIDS/NIPS tuning"
Next in thread: Phil Hollows: "RE: on NIDS/NIPS tuning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ids@securityfocus.com
Date: Fri, 10 Jun 2005 11:11:04 -0400

About a year ago, a client wanted ALL alerts with absolutely no filtering.
This presented a problem for the analysts as there were 100,000+ events per
day. We had to actually filter out events that were false positives and
false alarms from the analysts' displays while still logging the events to a
DB. There was a lot of wasted time on trying to archive and work with the DB
when we could have just filtered the traffic.

That is the worst I can think of. In other environments, the sensors were
tuned and regularly tested and were basically the analysts' best friends.

:-)

Shirkdog
http://www.shirkdog.us

>From: "Anton A. Chuvakin" <anton@chuvakin.org>
>To: focus-ids@securityfocus.com
>Subject: on NIDS/NIPS tuning
>Date: Thu, 9 Jun 2005 13:01:20 -0400 (EDT)
>
>All,
>
>I was thinking about some issues with IDS alerts (their volume, etc) and
>realized I could use some help from the list. It might also be a fun
>discussion item.
>
>So, here it is: how many folks who buy/download a NIDS/NIPS actually tune
>it? Long time ago when I was asking this question the previous time, I was
>scared to learn that lots of people do not tune their NIDSs. Is it any
>better now?
>
>Best,
>--
>Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
> http://www.info-secure.org
> http://www.securitywarrior.com
>
>
>--------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks from
>CORE IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>--------------------------------------------------------------------------
>

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

Next message: ian.bamford_at_vigilantminds.com: "Re: RE: IDS\IPS that can handle one Gig"

Previous message: Andrew Plato: "RE: IDS\IPS that can handle one Gig"
Maybe in reply to: Anton A. Chuvakin: "on NIDS/NIPS tuning"
Next in thread: Phil Hollows: "RE: on NIDS/NIPS tuning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]