RE: on NIDS/NIPS tuning

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

Heh. Most SIMs should be able to handle serious IDS load if you give
them enough hardware. ;)

As for tuning, I never said anything about not tuning, in fact you
seem to be arguing about a number of points I didn't make?

Having dealt with all the issues you mention below, I'll say that
yes, they are issues and no, they are not as impossible as you seem
to think. 

toby 

> -----Original Message-----
> From: David Kee [mailto:templeofprs () hotmail com] 
> Sent: Tuesday, June 14, 2005 8:26 AM
> To: focus-ids () securityfocus com
> Subject: RE: on NIDS/NIPS tuning
>
> I am curious to know what SIM product can handle un-tuned IDS 
> alerts in 
> addition to firewall logs, server logs, and application logs. 
> How accurate 
> is the list of message ID's and the message parsing? I doubt 
> that there is a 
> SIM vendor that has a correlation engine that can handle a 
> fraction of the 
> traffic in an average data-center or enterprise network. Can 
> they provide 
> packaged reporting and alert management? Flat-file or 
> relational database? 
> Don't forget about your SOC operators who have to manage the 
> message queue 
> and respond to all of the alerts. You can not just push 
> traffic to a SIM and 
> have it magically (and accurately) generate some golden nugget 
> message. What 
> are you using to gather vulnerability assessment information 
> and how is the 
> SIM correlating against that information? Valid alerts need to 
> be measured 
> against the vulnerability of the device/application (patch levels, 
> hardening, etc).
> > -----Original Message-----
> > From: Kohlenberg, Toby [mailto:toby.kohlenberg () intel com]
> > Sent: Monday, June 13, 2005 10:42 AM
> > To: Hazel, Scott A.; focus-ids () securityfocus com
> > Subject: RE: on NIDS/NIPS tuning
> >
> > I'd suggest that IDS(ips) tuning is still essential. Not only do
> > rules/sigs
> > need to be tuned but new sigs/rules need to be added to fit your
> > environment.
> >
> > Where to tune is a very good question and not easily answered. I
> > generally
> > try to tune on the sensor first and on the SIM second. The idea being
> > that I
> > want to decrease the work the sensor has to do rather than just ignore
> > it.
> >
> > That said, it's only reasonable to do that if you can be confident of
> > reducing
> > false positives without increasing false negatives at the same time.
> >
> > toby
> >
> > > -----Original Message-----
> > > From: Hazel, Scott A. [mailto:Scott.Hazel () unisys com]
> > > Sent: Saturday, June 11, 2005 9:20 PM
> > > To: focus-ids () securityfocus com
> > > Subject: RE: on NIDS/NIPS tuning
> > >
> > > This is a fundamental question we've been dealing with as well. By
> > > default we tune the IDS. But when the SIM tool is thrown 
> into the mix,
> > > the question becomes where to tune. Theoretically, the SIM 
> uses all the
> > > data it sees to correlate attacks, attackers, trends in suspicious
> > > activity, etc. If you tune what appears to be noise at the IDS, you
> > > could potentially be tuning out data the SIM uses to correlate
> > > and alert
> > > on a higher quality event.
> > >
> > > Conversely, tuning out known FP's at the IDS should create a higher
> > > quality data stream for the SIM to use. Logic points me to 
> opening the
> > > IDS and letting the SIM do the work. The SIM would also be where the
> > > data was tuned. In the end, it seems you could go either 
> way depending
> > > on how you want your alerts served up to you and how much 
> disk you've
> > > got to hold all that data in the IDS.
> > >
> > > Thanks for starting this thread though. Tuning an IDS seems 
> as much an
> > > art as a science. I'm glad to see input on how the rest of 
> you handle
> > > it.
> > >
> > > Scott Hazel
> > >
> > > -----Original Message-----
> > > From: Gary Halleen [mailto:ghalleen () cisco com]
> > > Sent: Friday, June 10, 2005 4:17 PM
> > > To: 'Drew Simonis'; 'Anton A. Chuvakin'; focus-ids () securityfocus com
> > > Subject: RE: on NIDS/NIPS tuning
> > >
> > > I'm seeing many organizations now tuning not on the IDS, 
> but on the SIM
> > > product they're using for monitoring them.
> > >
> > > Gary
> > >
> > >
> > > -----Original Message-----
> > > From: Drew Simonis [mailto:simonis () myself com]
> > > Sent: Friday, June 10, 2005 6:02 AM
> > > To: Anton A. Chuvakin; focus-ids () securityfocus com
> > > Subject: Re: on NIDS/NIPS tuning
> > >
> > > > All,
> > > >
> > > > I was thinking about some issues with IDS alerts (their 
> volume, etc)
> > > > and realized I could use some help from the list. It might
> > > also be a
> > > > fun discussion item.
> > > >
> > > > So, here it is: how many folks who buy/download a 
> NIDS/NIPS actually
> > > > tune it? Long time ago when I was asking this question 
> the previous
> > > > time, I was scared to learn that lots of people do not tune their
> > > > NIDSs. Is it any better now?
> > >
> > > I know that, in my experience, many orgs don't tune at all.
> > > The fear is
> > > that they might do it wrong and thereby miss some important
> > > event.  IMO,
> > > this is a stupid way of thinking, but I bet it isn't as rare as it
> > > should
> > > be.
> > >
> > > In other cases, people do not tune and rely on a 
> correlation engine or
> > > MSS
> > > to filter the events.  This is better, but really just 
> moves the tuning
> > > to a
> > > different level.
> > >
> > > Personally, I tune sigs and also tailor the sig sets to the devices
> > > being
> > > monitored.  For example, if there are no webservers on a segment, I
> > > might
> > > not be as inclined to use sigs that check for Apache exploits.  I've
> > > never
> > > really measured the impact on the system vs. the 
> administrative cost of
> > > doing this, however, so it is quite possible I am wasting time for a
> > > negligable benefit.
> > >
> > > On the tuning side, I believe that filters and exclusions
> > > should be part
> > > of
> > > the incident response lifecycle.  If I am alerted to an event
> > > by an IDS,
> > > I
> > > investigate and discover that the event was benign or did not take
> > > place, a
> > > filter should result, and thus be properly documented.
> > >
> > > -Ds
> > >
> > > --
> > > ___________________________________________________________
> > > Sign-up for Ads Free at Mail.com
> > > http://promo.mail.com/adsfreejump.htm
> > >
> > >
> > > ---------------------------------------------------------------
> > > ---------
> > > --
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world 
> attacks from
> > > CORE IMPACT.
> > > Go to
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > >
> > > to learn more.
> > > ---------------------------------------------------------------
> > > ---------
> > > --
> > >
> > > ---------------------------------------------------------------
> > > ---------
> > > --
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world 
> attacks from
> > > CORE IMPACT.
> > > Go to
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > >
> > > to learn more.
> > > ---------------------------------------------------------------
> > > ---------
> > > --
> > >
> > >
> > > ---------------------------------------------------------------
> > > -----------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world 
> attacks from
> > > CORE IMPACT.
> > > Go to
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > > to learn more.
> > > ---------------------------------------------------------------
> > > -----------
> >
> > --------------------------------------------------------------
> ------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > --------------------------------------------------------------
> ------------
> >
>
> _________________________________________________________________
> Don't just search. Find. Check out the new MSN Search! 
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
> ---------------------------------------------------------------
> -----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> ---------------------------------------------------------------
> -----------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------