IDS mailing list archives
Need help to choose a security policy
From: "CEDRIC CASSIN " <anginapectoris () caramail com>
Date: Thu, 06 May 2004 14:10:15 GMT
Hello everybody I would like to apologize for my level in english... I have been asked to decrease the amount of IDS logs we get : useless events, false positive and so on. The logs are so large that they are sometimes unmanageable. It's quite hard to find relevant information on the internet. One of our IDS is located in front of the Internet and the others one are in a private WAN. Most of the logs come from our Wan, and I'm supposed to spend most of my time with these ones. As a beginning, I've prefered to handle and understand the behaviour of the IDS which doesn't generate too much data, the one in front of the Internet. Let me explain you my point of view... Since the company I work for wants to decrease the number of logs, the policy to apply shouldn't consist in logging all the attacks. I'm suggesting to log only the attacks who will be able to go though the Firewall, consequently those that match the Firewall 's access-list : allowed services and allowed sources adresses. I have listed all the permitted services and want to tune the IDS to look only for the signatures relative to these services. Is it a good or dangerous way of thinking? Working on the easiest IDS, I found this method easy to perform but I'm scared to have some difficulties to do the same for the others as traffic is much more important. Any suggestion woud be welcome. Regards Cédric Marre des Spams ? - http://www.caramailmax.com
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Need help to choose a security policy CEDRIC CASSIN (May 06)
- RE: Need help to choose a security policy Omar Herrera (May 06)
- <Possible follow-ups>
- RE: Need help to choose a security policy CEDRIC CASSIN (May 07)
- RE: Need help to choose a security policy Omar Herrera (May 10)
- Re: Need help to choose a security policy embyte (May 14)
- RE: Need help to choose a security policy CEDRIC CASSIN (May 10)