Re: IPS signature update process

[Mike Peterson <mikep () NOC UTORONTO CA>]

> We are currently trying to formalize a process for updating our IPS
> signatures.  I was looking to see what other people out there are doing.
> Management would like to incorporate a review committee to help ensure
> legitimate traffic doesn't get blocked.  I'm struggling to come up with
> a model that would incorporate this.

I used to review the signature update before applying it, but am now just
having the IPS apply immediately/automatically any updates it receives.

We've only had 1 "recommended for blocking" rule cause any problems in 4+
years, and I don't think the affect user(s) ever even noticed.

We look over the non-blocking rules for a few weeks before activating them
for blocking to check for false positives; we haven't activated many of
them (mainly some types of host/port scanning and username/password brute
forcing).

The complete set of active rules (blocking and non-blocking) and
daily/weekly reports are posted on our internal web site so concerned
users can check what the IPS is doing, and we have a site where an IP
address can be looked up to see what IPS rules it has triggered in the
past 2 months.

Mike
--
Mike Peterson -- Network Security Specialist -- Computer and Network Services
E-mail: mikep () noc utoronto ca                WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230                                           Fax: 416-971-1362