RE: on NIDS/NIPS tuning
From: Gary Halleen (ghalleen_at_cisco.com)
Date: 06/10/05
- Previous message: Phil Hollows: "RE: on NIDS/NIPS tuning"
- In reply to: Drew Simonis: "Re: on NIDS/NIPS tuning"
- Next in thread: Adam Powers: "Re: on NIDS/NIPS tuning"
- Reply: Adam Powers: "Re: on NIDS/NIPS tuning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Drew Simonis'" <simonis@myself.com>, "'Anton A. Chuvakin'" <anton@chuvakin.org>, <focus-ids@securityfocus.com> Date: Fri, 10 Jun 2005 13:17:03 -0700
I'm seeing many organizations now tuning not on the IDS, but on the SIM
product they're using for monitoring them.
Gary
-----Original Message-----
From: Drew Simonis [mailto:simonis@myself.com]
Sent: Friday, June 10, 2005 6:02 AM
To: Anton A. Chuvakin; focus-ids@securityfocus.com
Subject: Re: on NIDS/NIPS tuning
>
> All,
>
> I was thinking about some issues with IDS alerts (their volume, etc)
> and realized I could use some help from the list. It might also be a
> fun discussion item.
>
> So, here it is: how many folks who buy/download a NIDS/NIPS actually
> tune it? Long time ago when I was asking this question the previous
> time, I was scared to learn that lots of people do not tune their
> NIDSs. Is it any better now?
>
I know that, in my experience, many orgs don't tune at all. The fear is
that they might do it wrong and thereby miss some important event. IMO,
this is a stupid way of thinking, but I bet it isn't as rare as it should
be.
In other cases, people do not tune and rely on a correlation engine or MSS
to filter the events. This is better, but really just moves the tuning to a
different level.
Personally, I tune sigs and also tailor the sig sets to the devices being
monitored. For example, if there are no webservers on a segment, I might
not be as inclined to use sigs that check for Apache exploits. I've never
really measured the impact on the system vs. the administrative cost of
doing this, however, so it is quite possible I am wasting time for a
negligable benefit.
On the tuning side, I believe that filters and exclusions should be part of
the incident response lifecycle. If I am alerted to an event by an IDS, I
investigate and discover that the event was benign or did not take place, a
filter should result, and thus be properly documented.
-Ds
-- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Phil Hollows: "RE: on NIDS/NIPS tuning"
- In reply to: Drew Simonis: "Re: on NIDS/NIPS tuning"
- Next in thread: Adam Powers: "Re: on NIDS/NIPS tuning"
- Reply: Adam Powers: "Re: on NIDS/NIPS tuning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
