RE: on NIDS/NIPS tuning

From: Anton A. Chuvakin (anton_at_chuvakin.org)
Date: 06/14/05

  • Next message: Kohlenberg, Toby: "RE: on NIDS/NIPS tuning" 
    Date: Mon, 13 Jun 2005 18:21:49 -0400 (EDT)
To: focus-ids@securityfocus.com

    All,

    OMG, this discussion actually went in the direction I meant it to go
    (towards SIM) without me driving it there ...

    Just for list's entertainment value, I do run my NIDSs with all sigs
    enabled and (oh horror!) my Snorts do autodownload from snort.org *and*
    bleedingsnort. Am I an idiot? :-) No, I design next-generation correlation
    technology.

    >Theoretically, the SIM uses all the data it sees to correlate attacks,
    >attackers, trends in suspicious activity, etc. If you tune what appears
    >to be noise at the IDS, you could potentially be tuning out data the SIM
    >uses to correlate and alert on a higher quality event.
    >
    >Conversely, tuning out known FP's at the IDS should create a higher
    >quality data stream for the SIM to use. Logic points me to opening the
    >IDS and letting the SIM do the work. The SIM would also be where the

    The above excerpt from Scott Hazel post is pretty much what I wanted to
    say next :-) More NIDS data for SIM to chew on vs higher-quality data
    stream from well-tuned NIDSs is a very good question. Now, I do see this
    problem not necessarily as "where to tune - on NIDS or on SIM", but more
    like "how to best use SIM to help the ailing NIDSs and soon-to-be-ailing
    NIPSes". In addition, one has to tune NIPS on a NIPS today (for inline
    blocking action to happen), unless you plan to use SIM correlation to make
    those blocking decisions on a NIPS (can be done in the future).

    As it happens, I prefer more data to be available for a SIM. And, if your
    SIM is really good, it should be able to work well you under the
    circumstances. Now, those classic "false positives" where NIDS is 'just
    plain wrong' might not add any value to SIM's view of the network, but, on
    the other hand, SIM will help you deprioritize them. However, other types
    of what is often seen as "false alarms" do actually help SIM
    decision-making quite often. In addition, a big pool of those "false"
    messages sometimes can be mined for some hidden gems. given the right
    technology.

    Best, 

    -- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.info-secure.org
   http://www.securitywarrior.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Kohlenberg, Toby: "RE: on NIDS/NIPS tuning"