Security Basics mailing list archives

Re:NIDS

From: Juan B <juanbabi () yahoo com>
Date: Fri, 10 Jun 2005 10:32:45 -0700 (PDT)

HI ,

before deploying an IDS u should know that this kind
of systems needs a lot of maintanance. setting and
configuering the sensors is not a big deal ,it is the
Alerts handeling that needs to be configured. whan you
first install and start to recieve alerts you will
receive many false positive alerts on your machines.
in large firms there is a dedicated employee which his
task is only to handle this system. 

also consider having a very strong managment server to
handle all the alerts (mysql server most of the time).
use snort as an ids system .
you will need a signiture handleing application which
you can find in www.activework.org.
also be sure to armor the sensors before plug in tham
to the network, I would out a sensor in the DMZ and in
each network sigment . but not between the router and
the Firewall, It will just fill your managment server
with a lot of unusefull alerts.

Remember- false positives is the number 1 problems
with IDS's

hope it helped.

Juan Fernandez.

Security Engineer

Tel: +972-52-4306781
Mcse Ccna Ccsa Scsa


                
__________________________________ 
Discover Yahoo! 
Stay in touch with email, IM, photo sharing and more. Check it out! 
http://discover.yahoo.com/stayintouch.html

Current thread:

NIDS Sudheer Reddy Vakati (Jun 10)
- Re: NIDS Mitchell Rowton (Jun 13)
- RE: NIDS Carl Tucker (Jun 21)
- <Possible follow-ups>
- RE: NIDS Smith, Ryan (Jun 10)
- Re:NIDS Juan B (Jun 13)