RE: on NIDS/NIPS tuning

From: Darren Webb (spyder007_at_charter.net)
Date: 06/10/05

  • Next message: Martin Roesch: "Re: on NIDS/NIPS tuning" 
    To: "'Anton A. Chuvakin'" <anton@chuvakin.org>, <focus-ids@securityfocus.com>
Date: Fri, 10 Jun 2005 16:21:02 -0500

    We constantly refine our IDS sigs. I don't see how anyone could not.

    However it wasn't always that way. When we inherited the system, the
    database was so full of false positives that it was completely unusable. We
    pretty much had to start over.

    Darren

    -----Original Message-----
    From: Anton A. Chuvakin [mailto:anton@chuvakin.org]
    Sent: Thursday, June 09, 2005 12:01 PM
    To: focus-ids@securityfocus.com
    Subject: on NIDS/NIPS tuning

    All,

    I was thinking about some issues with IDS alerts (their volume, etc) and
    realized I could use some help from the list. It might also be a fun
    discussion item.

    So, here it is: how many folks who buy/download a NIDS/NIPS actually tune
    it? Long time ago when I was asking this question the previous time, I was
    scared to learn that lots of people do not tune their NIDSs. Is it any
    better now?

    Best, 

    --
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.info-secure.org
   http://www.securitywarrior.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Martin Roesch: "Re: on NIDS/NIPS tuning"

    Relevant Pages

    • Re: RE: IDS testing tools
      ... Nessus is a bad choice to test IDS as it is a vulnerability scanner. ... >Find out quickly and easily by testing it with real-world attacks from CORE ... >with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: Host Based IDS
      ... Assunto: RE: Host Based IDS ... Anitian Enterprise Security ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • RE: on NIDS/NIPS tuning
      ... I'd suggest that IDStuning is still essential. ... Where to tune is a very good question and not easily answered. ... try to tune on the sensor first and on the SIM second. ... If you tune what appears to be noise at the IDS, ...
      (Focus-IDS)
    • RE: IDS
      ... Subject: IDS ... Safe Access that does pretty much what you describe. ... Find out quickly and easily by testing it with real-world attacks from ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • RE: IDS event filtering
      ... It is important to avoid tuning out real attacks when they happen by having over-pruned the inside attack tree... ... > ingress - egress firewall rules, IDS configs, or whatever. ... > CORE IMPACT. ... > Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)