Need help to choose a security policy

["CEDRIC CASSIN " <anginapectoris () caramail com>]

Hello everybody 

I would like to apologize for my level in english...

I have been asked to decrease the amount of IDS logs we get : useless events, false positive and so on. The logs 
are so large that they are sometimes unmanageable. It's quite hard to find relevant information on the internet.

One of our IDS is located in front of the Internet and the others one are in a private WAN. Most of the logs 
come from our Wan, and I'm supposed to spend most of my time with these ones. As a beginning, I've prefered 
to handle and understand the behaviour of the IDS which doesn't generate too much data, the one in front of 
the Internet. 

Let me explain you my point of view...

Since the company I work for wants to decrease the number of logs, the policy to apply shouldn't consist in 
logging all the attacks. I'm suggesting to log only the attacks who will be able to go though the Firewall, 
consequently those that match the Firewall 's access-list : allowed services and allowed sources adresses. I have 
listed all the permitted services and want to tune the IDS to look only for the signatures relative to these 
services. Is it a good or dangerous way of thinking?

Working on the easiest IDS, I found this method easy to perform but I'm scared to have some difficulties to do 
the same for the others as traffic is much more important. Any suggestion woud be welcome.

Regards 

Cédric

Marre des Spams ? - http://www.caramailmax.com


---------------------------------------------------------------------------

---------------------------------------------------------------------------