RE: on NIDS/NIPS tuning

From: Kohlenberg, Toby (toby.kohlenberg_at_intel.com)
Date: 06/15/05

  • Next message: Michael Boman: "Re: Snort & iptables on the same box" 
    Date: Tue, 14 Jun 2005 15:33:02 -0700
To: "David Kee" <templeofprs@hotmail.com>, <focus-ids@securityfocus.com>

    Heh. Most SIMs should be able to handle serious IDS load if you give
    them enough hardware. ;)

    As for tuning, I never said anything about not tuning, in fact you
    seem to be arguing about a number of points I didn't make?

    Having dealt with all the issues you mention below, I'll say that
    yes, they are issues and no, they are not as impossible as you seem
    to think.

    toby

    >-----Original Message-----
    >From: David Kee [mailto:templeofprs@hotmail.com]
    >Sent: Tuesday, June 14, 2005 8:26 AM
    >To: focus-ids@securityfocus.com
    >Subject: RE: on NIDS/NIPS tuning
    >
    >I am curious to know what SIM product can handle un-tuned IDS
    >alerts in
    >addition to firewall logs, server logs, and application logs.
    >How accurate
    >is the list of message ID's and the message parsing? I doubt
    >that there is a
    >SIM vendor that has a correlation engine that can handle a
    >fraction of the
    >traffic in an average data-center or enterprise network. Can
    >they provide
    >packaged reporting and alert management? Flat-file or
    >relational database?
    >Don't forget about your SOC operators who have to manage the
    >message queue
    >and respond to all of the alerts. You can not just push
    >traffic to a SIM and
    >have it magically (and accurately) generate some golden nugget
    >message. What
    >are you using to gather vulnerability assessment information
    >and how is the
    >SIM correlating against that information? Valid alerts need to
    >be measured
    >against the vulnerability of the device/application (patch levels,
    >hardening, etc).
    >>
    >>-----Original Message-----
    >>From: Kohlenberg, Toby [mailto:toby.kohlenberg@intel.com]
    >>Sent: Monday, June 13, 2005 10:42 AM
    >>To: Hazel, Scott A.; focus-ids@securityfocus.com
    >>Subject: RE: on NIDS/NIPS tuning
    >>
    >>I'd suggest that IDS(ips) tuning is still essential. Not only do
    >>rules/sigs
    >>need to be tuned but new sigs/rules need to be added to fit your
    >>environment.
    >>
    >>Where to tune is a very good question and not easily answered. I
    >>generally
    >>try to tune on the sensor first and on the SIM second. The idea being
    >>that I
    >>want to decrease the work the sensor has to do rather than just ignore
    >>it.
    >>
    >>That said, it's only reasonable to do that if you can be confident of
    >>reducing
    >>false positives without increasing false negatives at the same time.
    >>
    >>toby
    >>
    >> >-----Original Message-----
    >> >From: Hazel, Scott A. [mailto:Scott.Hazel@unisys.com]
    >> >Sent: Saturday, June 11, 2005 9:20 PM
    >> >To: focus-ids@securityfocus.com
    >> >Subject: RE: on NIDS/NIPS tuning
    >> >
    >> >This is a fundamental question we've been dealing with as well. By
    >> >default we tune the IDS. But when the SIM tool is thrown
    >into the mix,
    >> >the question becomes where to tune. Theoretically, the SIM
    >uses all the
    >> >data it sees to correlate attacks, attackers, trends in suspicious
    >> >activity, etc. If you tune what appears to be noise at the IDS, you
    >> >could potentially be tuning out data the SIM uses to correlate
    >> >and alert
    >> >on a higher quality event.
    >> >
    >> >Conversely, tuning out known FP's at the IDS should create a higher
    >> >quality data stream for the SIM to use. Logic points me to
    >opening the
    >> >IDS and letting the SIM do the work. The SIM would also be where the
    >> >data was tuned. In the end, it seems you could go either
    >way depending
    >> >on how you want your alerts served up to you and how much
    >disk you've
    >> >got to hold all that data in the IDS.
    >> >
    >> >Thanks for starting this thread though. Tuning an IDS seems
    >as much an
    >> >art as a science. I'm glad to see input on how the rest of
    >you handle
    >> >it.
    >> >
    >> >Scott Hazel
    >> >
    >> >-----Original Message-----
    >> >From: Gary Halleen [mailto:ghalleen@cisco.com]
    >> >Sent: Friday, June 10, 2005 4:17 PM
    >> >To: 'Drew Simonis'; 'Anton A. Chuvakin'; focus-ids@securityfocus.com
    >> >Subject: RE: on NIDS/NIPS tuning
    >> >
    >> >I'm seeing many organizations now tuning not on the IDS,
    >but on the SIM
    >> >product they're using for monitoring them.
    >> >
    >> >Gary
    >> >
    >> >
    >> >-----Original Message-----
    >> >From: Drew Simonis [mailto:simonis@myself.com]
    >> >Sent: Friday, June 10, 2005 6:02 AM
    >> >To: Anton A. Chuvakin; focus-ids@securityfocus.com
    >> >Subject: Re: on NIDS/NIPS tuning
    >> >
    >> >>
    >> >> All,
    >> >>
    >> >> I was thinking about some issues with IDS alerts (their
    >volume, etc)
    >> >> and realized I could use some help from the list. It might
    >> >also be a
    >> >> fun discussion item.
    >> >>
    >> >> So, here it is: how many folks who buy/download a
    >NIDS/NIPS actually
    >> >> tune it? Long time ago when I was asking this question
    >the previous
    >> >> time, I was scared to learn that lots of people do not tune their
    >> >> NIDSs. Is it any better now?
    >> >>
    >> >
    >> >I know that, in my experience, many orgs don't tune at all.
    >> >The fear is
    >> >that they might do it wrong and thereby miss some important
    >> >event. IMO,
    >> >this is a stupid way of thinking, but I bet it isn't as rare as it
    >> >should
    >> >be.
    >> >
    >> >In other cases, people do not tune and rely on a
    >correlation engine or
    >> >MSS
    >> >to filter the events. This is better, but really just
    >moves the tuning
    >> >to a
    >> >different level.
    >> >
    >> >Personally, I tune sigs and also tailor the sig sets to the devices
    >> >being
    >> >monitored. For example, if there are no webservers on a segment, I
    >> >might
    >> >not be as inclined to use sigs that check for Apache exploits. I've
    >> >never
    >> >really measured the impact on the system vs. the
    >administrative cost of
    >> >doing this, however, so it is quite possible I am wasting time for a
    >> >negligable benefit.
    >> >
    >> >On the tuning side, I believe that filters and exclusions
    >> >should be part
    >> >of
    >> >the incident response lifecycle. If I am alerted to an event
    >> >by an IDS,
    >> >I
    >> >investigate and discover that the event was benign or did not take
    >> >place, a
    >> >filter should result, and thus be properly documented.
    >> >
    >> >-Ds
    >> >
    >> >--
    >> >___________________________________________________________
    >> >Sign-up for Ads Free at Mail.com
    >> >http://promo.mail.com/adsfreejump.htm
    >> >
    >> >
    >> >---------------------------------------------------------------
    >> >---------
    >> >--
    >> >Test Your IDS
    >> >
    >> >Is your IDS deployed correctly?
    >> >Find out quickly and easily by testing it with real-world
    >attacks from
    >> >CORE IMPACT.
    >> >Go to
    >> >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >> >
    >> >to learn more.
    >> >---------------------------------------------------------------
    >> >---------
    >> >--
    >> >
    >> >---------------------------------------------------------------
    >> >---------
    >> >--
    >> >Test Your IDS
    >> >
    >> >Is your IDS deployed correctly?
    >> >Find out quickly and easily by testing it with real-world
    >attacks from
    >> >CORE IMPACT.
    >> >Go to
    >> >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >> >
    >> >to learn more.
    >> >---------------------------------------------------------------
    >> >---------
    >> >--
    >> >
    >> >
    >> >---------------------------------------------------------------
    >> >-----------
    >> >Test Your IDS
    >> >
    >> >Is your IDS deployed correctly?
    >> >Find out quickly and easily by testing it with real-world
    >attacks from
    >> >CORE IMPACT.
    >> >Go to
    >> >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >> >to learn more.
    >> >---------------------------------------------------------------
    >> >-----------
    >> >
    >> >
    >>
    >>--------------------------------------------------------------
    >------------
    >>Test Your IDS
    >>
    >>Is your IDS deployed correctly?
    >>Find out quickly and easily by testing it with real-world attacks from
    >>CORE IMPACT.
    >>Go to
    >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >>to learn more.
    >>--------------------------------------------------------------
    >------------
    >>
    >
    >_________________________________________________________________
    >Don't just search. Find. Check out the new MSN Search!
    >http://search.msn.click-url.com/go/onm00200636ave/direct/01/
    >
    >
    >---------------------------------------------------------------
    >-----------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from
    >CORE IMPACT.
    >Go to
    >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >to learn more.
    >---------------------------------------------------------------
    >-----------
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Michael Boman: "Re: Snort & iptables on the same box"
    • Quantcast