Re: on NIDS/NIPS tuning

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 06/11/05

  • Next message: Adam Powers: "Re: on NIDS/NIPS tuning" 
    Date: Fri, 10 Jun 2005 21:13:01 -0400
To: focus-ids@securityfocus.com

    I have two observations:

    1) On this list you will find a high number of "tuners". People on
    this list are obviously into this topic, so this is to be expected.

    2) Generally speaking (and going by nearly 7 years of experience with
    people using Snort) I'd say that lots of people use their IDS's in
    their completely stock configuration. Hell, we've even Snort users
    who auto-download rules updates and fire them up sight unseen,
    something that was shown pretty clearly a few years ago (pre-
    Sourcefire) when we checked a joke rule into CVS and got a bunch of
    pissed off emails from people who had auto-deployed them.

    This is a real problem with detection technology in general, it takes
    a lot of expertise to tune effectively if you want to get a lot of
    value out of it. That expertise is a fairly esoteric set of skills
    which is difficult to find in a lot of organizations. Now obviously
    I have some real ideas about that topic, but that wasn't the point of
    this thread...

          -Marty 

    -- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Network Defense for the Real World - http:// 
www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - http:// 
www.snort.org
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Adam Powers: "Re: on NIDS/NIPS tuning"

    Relevant Pages

    • RE: [Snort-devel] RFC: Forking Snort
      ... I am very happy with Snort, it's sigs, plugins, etc.. ... The number of core developers on the Snort ... contributions to the codebase while not being insignificant are not what ... > wildly successfully open source project and Sourcefire (a growing, ...
      (Focus-IDS)
    • Re: IDS vs. IPS deployment feedback
      ... It is not accurate to state that the IPS ... Those two IPS technologies are NFR and Snort. ... signatures for the same vulnerability, ... Snort rules are developed by volunteers (or Sourcefire). ...
      (Focus-IDS)
    • Re: [Snort-devel] Re: RFC: Forking Snort
      ... > back out to the community at large. ... Combine that with my commitment to keeping Snort open source ... >>> own success. ... >>> successfully open source project and Sourcefire (a growing, ...
      (Focus-IDS)
    • Re: [Snort-devel] Re: RFC: Forking Snort
      ... back out to the community at large. ... Subject: [Snort-devel] Re: RFC: Forking Snort ... >>own success. ... >>successfully open source project and Sourcefire (a growing, ...
      (Focus-IDS)
    • Re: [Snort-users] RFC: Forking Snort
      ... I haven't been as good a communicator with the Snort community as ... order for Sourcefire to be successful, Snort has to be the best technology ... Sourcefire's CEOthat Snort must remain open source ...
      (Focus-IDS)