Re: amount of alarms generated by IDS

["Andy Cuff" <talisker () securitywizardry com>]

Let's also not forget the breadth and depth of the signatures within the IDS
which varies greatly between vendors, are they purely grepping or is there
also an element of protocol decode in there.

Tuning is the key, as is compatibility of the chosen product with both the
network and the staff operating it.

To answer the original question, you cannot gauge these rates ahead of time
without a mass of research, best option is to place an IDS on your network
and see for yourself, but make sure you try before you buy.

-andy cuff

Talisker Security Tools Directory
http://www.securitywizardry.com
----- Original Message ----- 
From: "Bhargav Bhikkaji" <bbhikkaji () yahoo co in>
To: <focus-ids () securityfocus com>
Sent: Saturday, May 08, 2004 4:04 PM
Subject: Re: amount of alarms generated by IDS


> In-Reply-To: <20040507072116.73229.qmail () web12822 mail yahoo com>
>
>  The right-out-of-the-box configs for an inline device are
>
> > expected to generate much fewer FPs since admins don't have all the time
in the
> > world to tune the rules unlike on a promiscuous mode device.
>
> >
>
>
>
> I am not sure how Inline IDS will generate fewer FP's ?.
>
>
>
> -Bhargav
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-
>


---------------------------------------------------------------------------

---------------------------------------------------------------------------