IDS mailing list archives
Re: on NIDS/NIPS tuning
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 10 Jun 2005 21:13:01 -0400
I have two observations:1) On this list you will find a high number of "tuners". People on this list are obviously into this topic, so this is to be expected.
2) Generally speaking (and going by nearly 7 years of experience with people using Snort) I'd say that lots of people use their IDS's in their completely stock configuration. Hell, we've even Snort users who auto-download rules updates and fire them up sight unseen, something that was shown pretty clearly a few years ago (pre- Sourcefire) when we checked a joke rule into CVS and got a bunch of pissed off emails from people who had auto-deployed them.
This is a real problem with detection technology in general, it takes a lot of expertise to tune effectively if you want to get a lot of value out of it. That expertise is a fairly esoteric set of skills which is difficult to find in a lot of organizations. Now obviously I have some real ideas about that topic, but that wasn't the point of this thread...
-Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616Sourcefire - Network Defense for the Real World - http:// www.sourcefire.com Snort: Open Source Intrusion Detection and Prevention - http:// www.snort.org
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- on NIDS/NIPS tuning Anton A. Chuvakin (Jun 09)
- Re: on NIDS/NIPS tuning Ramon Kagan (Jun 10)
- Re: on NIDS/NIPS tuning Bob Huber (Jun 10)
- Re: on NIDS/NIPS tuning Kevin Timm (Jun 10)
- RE: on NIDS/NIPS tuning Darren Webb (Jun 12)
- <Possible follow-ups>
- RE: on NIDS/NIPS tuning Joshua Berry (Jun 09)
- Re: on NIDS/NIPS tuning Jason Falciola (Jun 10)
- Re: on NIDS/NIPS tuning Martin Roesch (Jun 12)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)
- RE: on NIDS/NIPS tuning Phil Hollows (Jun 10)
- Re: on NIDS/NIPS tuning Brent Stackhouse (Jun 12)
- RE: on NIDS/NIPS tuning Hazel, Scott A. (Jun 12)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 14)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 14)
- RE: on NIDS/NIPS tuning David Kee (Jun 14)
(Thread continues...)