Re: on NIDS/NIPS tuning

From: Brent Stackhouse (brentstackhouse_at_yahoo.com)
Date: 06/12/05

Next message: Hazel, Scott A.: "RE: on NIDS/NIPS tuning"

Previous message: Adam Powers: "Re: on NIDS/NIPS tuning"
Maybe in reply to: Anton A. Chuvakin: "on NIDS/NIPS tuning"
Next in thread: Hazel, Scott A.: "RE: on NIDS/NIPS tuning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 11 Jun 2005 19:36:20 -0700 (PDT)
To: focus-ids@securityfocus.com

Hey Anton,

Yup, I always tune, whether using ISS, Cisco, or
McAfee. Don't see how you can avoid it and still get
what you want. Even when using a SIM with Cisco IPS,
I still have to make sure the "right" signatures are
enabled, since Cisco's sig updates don't enable all of
them by default (and I may pick different ones to
enable than Cisco did). A SIM doesn't change that
step, at least not the Cisco MARS product I've been
using recently.

Brent Stackhouse, GSEC/GCIH

> > Date: Thu, 9 Jun 2005 13:01:20 -0400 (EDT)
> From: "Anton A. Chuvakin" <anton@chuvakin.org>
> To: focus-ids@securityfocus.com
> Subject: on NIDS/NIPS tuning
>
> All,
>
> I was thinking about some issues with IDS alerts
> (their volume, etc) and
> realized I could use some help from the list. It
> might also be a fun
> discussion item.
>
> So, here it is: how many folks who buy/download a
> NIDS/NIPS actually tune
> it? Long time ago when I was asking this question
> the previous time, I was
> scared to learn that lots of people do not tune
> their NIDSs. Is it any
> better now?
>
> Best,
> --
> Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
> http://www.info-secure.org
> http://www.securitywarrior.com

__________________________________
Discover Yahoo!
Find restaurants, movies, travel and more fun for the weekend. Check it out!
http://discover.yahoo.com/weekend.html

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

Next message: Hazel, Scott A.: "RE: on NIDS/NIPS tuning"

Previous message: Adam Powers: "Re: on NIDS/NIPS tuning"
Maybe in reply to: Anton A. Chuvakin: "on NIDS/NIPS tuning"
Next in thread: Hazel, Scott A.: "RE: on NIDS/NIPS tuning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Recommending an IDS system
... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... into ONE inky-dinky "black box" that was maintained by a "security ... Like I said before, ISS ...
(Security-Basics)
RE: Recommending an IDS system
... That feature is not an "Auto-Update" in Cisco. ... As for writing your own signatures, ... Subject: Recommending an IDS system ...
(Security-Basics)
Re: Recommending an IDS system
... I'm running a smaller setup than your old employer attempted to run. ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... but the management of the signatures and ...
(Security-Basics)
RE: CISCOs new IPS
... There is no way we would consider using their IPS units....their IDS have enough problems. ... Christoph, ... I can tell you from real world experience that Cisco has not been the best ...
(Focus-IDS)
RE: Recommending an IDS system
... Same here - haven't used the ISS, but I have no problem with auto updates, and Cisco is releasing signatures very quickly. ... Subject: Recommending an IDS system ... I never worked with ISS IDS appliance before so I can't really comment on ...
(Security-Basics)