IDS mailing list archives
RE: on NIDS/NIPS tuning
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Tue, 14 Jun 2005 15:33:02 -0700
Heh. Most SIMs should be able to handle serious IDS load if you give them enough hardware. ;) As for tuning, I never said anything about not tuning, in fact you seem to be arguing about a number of points I didn't make? Having dealt with all the issues you mention below, I'll say that yes, they are issues and no, they are not as impossible as you seem to think. toby
-----Original Message----- From: David Kee [mailto:templeofprs () hotmail com] Sent: Tuesday, June 14, 2005 8:26 AM To: focus-ids () securityfocus com Subject: RE: on NIDS/NIPS tuning I am curious to know what SIM product can handle un-tuned IDS alerts in addition to firewall logs, server logs, and application logs. How accurate is the list of message ID's and the message parsing? I doubt that there is a SIM vendor that has a correlation engine that can handle a fraction of the traffic in an average data-center or enterprise network. Can they provide packaged reporting and alert management? Flat-file or relational database? Don't forget about your SOC operators who have to manage the message queue and respond to all of the alerts. You can not just push traffic to a SIM and have it magically (and accurately) generate some golden nugget message. What are you using to gather vulnerability assessment information and how is the SIM correlating against that information? Valid alerts need to be measured against the vulnerability of the device/application (patch levels, hardening, etc).-----Original Message----- From: Kohlenberg, Toby [mailto:toby.kohlenberg () intel com] Sent: Monday, June 13, 2005 10:42 AM To: Hazel, Scott A.; focus-ids () securityfocus com Subject: RE: on NIDS/NIPS tuning I'd suggest that IDS(ips) tuning is still essential. Not only do rules/sigs need to be tuned but new sigs/rules need to be added to fit your environment. Where to tune is a very good question and not easily answered. I generally try to tune on the sensor first and on the SIM second. The idea being that I want to decrease the work the sensor has to do rather than just ignore it. That said, it's only reasonable to do that if you can be confident of reducing false positives without increasing false negatives at the same time. toby-----Original Message----- From: Hazel, Scott A. [mailto:Scott.Hazel () unisys com] Sent: Saturday, June 11, 2005 9:20 PM To: focus-ids () securityfocus com Subject: RE: on NIDS/NIPS tuning This is a fundamental question we've been dealing with as well. By default we tune the IDS. But when the SIM tool is throwninto the mix,the question becomes where to tune. Theoretically, the SIMuses all thedata it sees to correlate attacks, attackers, trends in suspicious activity, etc. If you tune what appears to be noise at the IDS, you could potentially be tuning out data the SIM uses to correlate and alert on a higher quality event. Conversely, tuning out known FP's at the IDS should create a higher quality data stream for the SIM to use. Logic points me toopening theIDS and letting the SIM do the work. The SIM would also be where the data was tuned. In the end, it seems you could go eitherway dependingon how you want your alerts served up to you and how muchdisk you'vegot to hold all that data in the IDS. Thanks for starting this thread though. Tuning an IDS seemsas much anart as a science. I'm glad to see input on how the rest ofyou handleit. Scott Hazel -----Original Message----- From: Gary Halleen [mailto:ghalleen () cisco com] Sent: Friday, June 10, 2005 4:17 PM To: 'Drew Simonis'; 'Anton A. Chuvakin'; focus-ids () securityfocus com Subject: RE: on NIDS/NIPS tuning I'm seeing many organizations now tuning not on the IDS,but on the SIMproduct they're using for monitoring them. Gary -----Original Message----- From: Drew Simonis [mailto:simonis () myself com] Sent: Friday, June 10, 2005 6:02 AM To: Anton A. Chuvakin; focus-ids () securityfocus com Subject: Re: on NIDS/NIPS tuningAll, I was thinking about some issues with IDS alerts (theirvolume, etc)and realized I could use some help from the list. It mightalso be afun discussion item. So, here it is: how many folks who buy/download aNIDS/NIPS actuallytune it? Long time ago when I was asking this questionthe previoustime, I was scared to learn that lots of people do not tune their NIDSs. Is it any better now?I know that, in my experience, many orgs don't tune at all. The fear is that they might do it wrong and thereby miss some important event. IMO, this is a stupid way of thinking, but I bet it isn't as rare as it should be. In other cases, people do not tune and rely on acorrelation engine orMSS to filter the events. This is better, but really justmoves the tuningto a different level. Personally, I tune sigs and also tailor the sig sets to the devices being monitored. For example, if there are no webservers on a segment, I might not be as inclined to use sigs that check for Apache exploits. I've never really measured the impact on the system vs. theadministrative cost ofdoing this, however, so it is quite possible I am wasting time for a negligable benefit. On the tuning side, I believe that filters and exclusions should be part of the incident response lifecycle. If I am alerted to an event by an IDS, I investigate and discover that the event was benign or did not take place, a filter should result, and thus be properly documented. -Ds -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm --------------------------------------------------------------- --------- -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-worldattacks fromCORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------- --------- -- --------------------------------------------------------------- --------- -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-worldattacks fromCORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------- --------- -- --------------------------------------------------------------- ----------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-worldattacks fromCORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------- -------------------------------------------------------------------------------------Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go tohttp://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more. --------------------------------------------------------------------------_________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ --------------------------------------------------------------- ----------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------- -----------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: on NIDS/NIPS tuning, (continued)
- Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)
- RE: on NIDS/NIPS tuning Phil Hollows (Jun 10)
- Re: on NIDS/NIPS tuning Brent Stackhouse (Jun 12)
- RE: on NIDS/NIPS tuning Hazel, Scott A. (Jun 12)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 14)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 14)
- RE: on NIDS/NIPS tuning David Kee (Jun 14)
- Re: on NIDS/NIPS tuning Raffael Marty (Jun 15)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 16)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 16)
- RE: on NIDS/NIPS tuning Gary Halleen (ghalleen) (Jun 16)