RE: Need help to choose a security policy

[Omar Herrera <oherrera () prodigy net mx>]

Hi Cedric,

>  I have been asked to decrease the amount of IDS logs we get : useless
>  events, false positive and so on. The logs
>  are so large that they are sometimes unmanageable. It's quite hard to
>  find relevant information on the internet.
 
>  Since the company I work for wants to decrease the number of logs,
the
>  policy to apply shouldn't consist in
>  logging all the attacks. I'm suggesting to log only the attacks who
will
>  be able to go though the Firewall,
>  consequently those that match the Firewall 's access-list : allowed
>  services and allowed sources adresses. I have
>  listed all the permitted services and want to tune the IDS to look
only
>  for the signatures relative to these
>  services. Is it a good or dangerous way of thinking?

In fact, you should never configure an IDS to log all possible attacks
it can detect (unless you are in the statistics business :-) ).

Don't be afraid of getting short, it is much better to be aware of
something useful than trying to log everything because you will
definitely miss something important with so much information. 

I don't think that trying to match your firewall accept rules is
precisely the best move. Better configure only rules relevant to you
architecture (for example, you might have only one type of web server,
so disable all rules that deal with attacks to other types of web
servers you don't have).

Now that you have rules that are relevant to you architecture, check
priorities and dispose of those that are of not much use (informative
for example). For example, you might want to disable port scan alerts on
an IDS in front of your firewall because you will get thousands of them
a day, and you know that decoys with spoofed addresses can be used and
so on (they could be useful for correlation but lets walk first before
running); port scan alerts in the internal network might be worth
keeping though.

So, rules that tell you about activities that take place that are not
exactly attacks would be good candidates to get rid of.

Next, you might want to get rid of obsolete alerts (just make sure they
are obsolete from your architecture point of view). Do you have an old
IIS 4 on an NT without patches that might be vulnerable to trivial
directory traversal attacks? No?, well then you can disable those too.

Last but no least, if your IDS allows you to create custom rules, then
you should consider creating some that verify policy compliance. Should
your corporate web server start ftp connections to workstations in your
internal network? If not then you might as well forbid all these
"suspicious" activities. Much better if you can apply positive logic in
these rules (like in firewalls), for example, in snort you could create
'pass' rules for that which is allowed and then create some general
'alert' rules that will trigger when activity other than that permitted
is detected. This will take you time and increase your rule database,
but these are the kind of rules that when you see them on your report
you know that there is something very bad going, they don't get obsolete
so fast and the help catching unknown/new attacks/, viruses/worms and
the like (so they are worth implementing for critical servers).

I hope this helps.

Regards,

Omar Herrera



---------------------------------------------------------------------------

---------------------------------------------------------------------------