Re: on NIDS/NIPS tuning
From: Kevin Timm (ktimm05_at_gmail.com)
Date: 06/10/05
- Previous message: Gary Halleen: "RE: on NIDS/NIPS tuning"
- In reply to: Bob Huber: "Re: on NIDS/NIPS tuning"
- Next in thread: Jason Falciola: "Re: on NIDS/NIPS tuning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 10 Jun 2005 16:17:52 -0500 To: "Anton A. Chuvakin" <anton@chuvakin.org>, focus-ids@securityfocus.com
A lot of tuning with very tight processes around what should or should
not be tuned. There are actually several levels of tuning which
loosly comprise
1. Tuning the signature set to a baseline (turn on a lot of sigs )
2. Tune signature specific variables in the case they can be tuned
3. Tune signature specific alerting
4. Tune specific hosts which cause exceptions
5. Tune data stream
6. Correlate
On 6/9/05, Bob Huber <roberthuberjr@yahoo.com> wrote:
> We spend a considerable amount of time tuning our IDS
> (100+). It allows us to quickly focus on 'meatier'
> events. Having quite a few IDS, with many on the
> internal network, most of the tuning is for normal
> network traffic, SNMP, ICMP, DNS, SMTP etc.. Our
> tuning is fairly fine-grained, by protocol, by src/dst
> ip or src and dst net. We lock it down as best we
> can. And since we are audited, we also comment all of
> the filtering we perform. The downside, and something
> I would like to see the IDS/IPS vendors add into their
> functionality, time stamp the filter entries and
> record the most recent time the filter has fired so we
> can remove the filter if it is no longer in use.
>
> I've spoken with quite a few organizations myself that
> just turn IDS on and forget about it. I'm sure some
> folks even use SIM as a crutch in this instance, using
> it to reduce events..Shame..But only so many people
> like running tcpdump and going through packet captures
> I guess, others just look for the blinking red lights.
>
> A side benefit to tuning, you learn your network
> pretty well which helps when things get hairy.
>
> Bob
> --- "Anton A. Chuvakin" <anton@chuvakin.org> wrote:
>
> > All,
> >
> > I was thinking about some issues with IDS alerts
> > (their volume, etc) and
> > realized I could use some help from the list. It
> > might also be a fun
> > discussion item.
> >
> > So, here it is: how many folks who buy/download a
> > NIDS/NIPS actually tune
> > it? Long time ago when I was asking this question
> > the previous time, I was
> > scared to learn that lots of people do not tune
> > their NIDSs. Is it any
> > better now?
> >
> > Best,
> > --
> > Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
>
>
>
> __________________________________
> Discover Yahoo!
> Find restaurants, movies, travel and more fun for the weekend. Check it out!
> http://discover.yahoo.com/weekend.html
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
>
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: Gary Halleen: "RE: on NIDS/NIPS tuning"
- In reply to: Bob Huber: "Re: on NIDS/NIPS tuning"
- Next in thread: Jason Falciola: "Re: on NIDS/NIPS tuning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
