IDS mailing list archives
RE: Need help to choose a security policy
From: Omar Herrera <oherrera () prodigy net mx>
Date: Thu, 06 May 2004 21:44:25 -0600
Hi Cedric,
I have been asked to decrease the amount of IDS logs we get : useless events, false positive and so on. The logs are so large that they are sometimes unmanageable. It's quite hard to find relevant information on the internet.
Since the company I work for wants to decrease the number of logs,
the
policy to apply shouldn't consist in logging all the attacks. I'm suggesting to log only the attacks who
will
be able to go though the Firewall, consequently those that match the Firewall 's access-list : allowed services and allowed sources adresses. I have listed all the permitted services and want to tune the IDS to look
only
for the signatures relative to these services. Is it a good or dangerous way of thinking?
In fact, you should never configure an IDS to log all possible attacks it can detect (unless you are in the statistics business :-) ). Don't be afraid of getting short, it is much better to be aware of something useful than trying to log everything because you will definitely miss something important with so much information. I don't think that trying to match your firewall accept rules is precisely the best move. Better configure only rules relevant to you architecture (for example, you might have only one type of web server, so disable all rules that deal with attacks to other types of web servers you don't have). Now that you have rules that are relevant to you architecture, check priorities and dispose of those that are of not much use (informative for example). For example, you might want to disable port scan alerts on an IDS in front of your firewall because you will get thousands of them a day, and you know that decoys with spoofed addresses can be used and so on (they could be useful for correlation but lets walk first before running); port scan alerts in the internal network might be worth keeping though. So, rules that tell you about activities that take place that are not exactly attacks would be good candidates to get rid of. Next, you might want to get rid of obsolete alerts (just make sure they are obsolete from your architecture point of view). Do you have an old IIS 4 on an NT without patches that might be vulnerable to trivial directory traversal attacks? No?, well then you can disable those too. Last but no least, if your IDS allows you to create custom rules, then you should consider creating some that verify policy compliance. Should your corporate web server start ftp connections to workstations in your internal network? If not then you might as well forbid all these "suspicious" activities. Much better if you can apply positive logic in these rules (like in firewalls), for example, in snort you could create 'pass' rules for that which is allowed and then create some general 'alert' rules that will trigger when activity other than that permitted is detected. This will take you time and increase your rule database, but these are the kind of rules that when you see them on your report you know that there is something very bad going, they don't get obsolete so fast and the help catching unknown/new attacks/, viruses/worms and the like (so they are worth implementing for critical servers). I hope this helps. Regards, Omar Herrera --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Need help to choose a security policy CEDRIC CASSIN (May 06)
- RE: Need help to choose a security policy Omar Herrera (May 06)
- <Possible follow-ups>
- RE: Need help to choose a security policy CEDRIC CASSIN (May 07)
- RE: Need help to choose a security policy Omar Herrera (May 10)
- Re: Need help to choose a security policy embyte (May 14)
- RE: Need help to choose a security policy CEDRIC CASSIN (May 10)