Educause Security Discussion mailing list archives
Re: IPS signature update process
From: "Bradley, Stephen W. Mr." <bradlesw () MUOHIO EDU>
Date: Tue, 18 Aug 2009 04:16:50 -0400
I agree with Michael. We have been running our IPS' for over 5 years now and for the first few years we reviewed each individual signature and realized it was a lot of effort for very little return. I can't remember a single instance of the default setting from the vendor blocking legitimate traffic. Now we receive the updates and deploy them then at a later date we review the classes to see if there are any that may need changed from allow to block or vice versa. steve -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Grinnell Sent: Monday, August 17, 2009 11:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] IPS signature update process On 8/17/2009 11:15 PM, Fields, Kimberly wrote:
Hello All, We are currently trying to formalize a process for updating our IPS signatures. I was looking to see what other people out there are doing. Management would like to incorporate a review committee to help ensure legitimate traffic doesn't get blocked. I'm struggling to come up with a model that would incorporate this. Any feedback would be helpful. _____________________________________________________________________ Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may include AMERIGROUP member(s) information that is legally privileged. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy copies of the original message. _____________________________________________________________________
Is this a big problem for you? We've been running an IPS for 3 - 4 years now and had 2 cases of rules that blocked legitimate traffic. Only one of those rules was on by default, and in both cases, it was the result of poorly coded applications. In general, I think IPS/IDS signature updates, like AV updates, are too frequent and granular to justify extensive change control and review. I think you're better off with regularly scheduled updates, a good record of the changes, and good logs of any blocked traffic. You can then refer to these artifacts if an issue comes up and resolve it quickly. SLAs, etc. may change the equation a bit, but if your IPS is blocking legitimate traffic frequently enough to warrant a review committee, I would start looking for a replacement. Regards, Michael Grinnell Senior Information Security Engineer The American University
Current thread:
- IPS signature update process Fields, Kimberly (Aug 17)
- <Possible follow-ups>
- Re: IPS signature update process Michael Grinnell (Aug 17)
- Re: IPS signature update process Bradley, Stephen W. Mr. (Aug 18)
- Re: IPS signature update process Gary Dobbins (Aug 18)
- Re: IPS signature update process Mike Peterson (Aug 18)
- Re: IPS signature update process Chris Green (Aug 19)