Re:NIDS

From: Juan B (juanbabi_at_yahoo.com)
Date: 06/10/05

  • Next message: David Gillett: "RE: IP announce DOS"
    Date: Fri, 10 Jun 2005 10:32:45 -0700 (PDT)
    To: security-basics@securityfocus.com
    
    

    HI ,

    before deploying an IDS u should know that this kind
    of systems needs a lot of maintanance. setting and
    configuering the sensors is not a big deal ,it is the
    Alerts handeling that needs to be configured. whan you
    first install and start to recieve alerts you will
    receive many false positive alerts on your machines.
    in large firms there is a dedicated employee which his
    task is only to handle this system.

    also consider having a very strong managment server to
    handle all the alerts (mysql server most of the time).
    use snort as an ids system .
    you will need a signiture handleing application which
    you can find in www.activework.org.
    also be sure to armor the sensors before plug in tham
    to the network, I would out a sensor in the DMZ and in
    each network sigment . but not between the router and
    the Firewall, It will just fill your managment server
    with a lot of unusefull alerts.

    Remember- false positives is the number 1 problems
    with IDS's

    hope it helped.

    Juan Fernandez.

    Security Engineer

    Tel: +972-52-4306781
    Mcse Ccna Ccsa Scsa

                    
    __________________________________
    Discover Yahoo!
    Stay in touch with email, IM, photo sharing and more. Check it out!
    http://discover.yahoo.com/stayintouch.html


  • Next message: David Gillett: "RE: IP announce DOS"