Re: IDS event filtering

[Stef <stefmit () gmail com>]

I won't filter out anything. Something you do not [know of] have[ing]
does not guarantee anything (e.g. you know you do not have MSSQL
anywhere on your network, until a vendor comes up to your shop, with a
laptop running it, or a product has it "embedded" in its
functionality). What I would do would be to only alert on what I have
on my network, but log absolutely everything else. A CD or even DVD
burner is not expensive these days, compared too the advantage of
salvaging information, and I have had first hand experience with
having gone back to logs, then identifying and analyzing issues I have
never had rules or have not alerted for.

My $0.02,
Stef


On Fri, 31 Dec 2004 15:31:32 -0600, Harper, Patrick
<Patrick.Harper () phns com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thresholding is a wonderful thing.  And no, I personally do not want
> to see alerts on tings I do not have.  If I am an all apache shop
> then I do not turn on any IIS rules.  I also make sure, via scanning
> and vulnerability analysis, that I do not in fact have any IIS (or
> whatever) installed.  You first need to have a good inventory of what
> you have.  And you need to keep that up to date so you always know
> what you have.  Then you trim all rules to that.  Weather it be
> ingress - egress firewall rules, IDS configs, or whatever.  Figure
> out what you have, learn how it flows (and make it work/flow the
> secure way) then monitor it.
>
> - -----Original Message-----
> From: Billy Dodson [mailto:CraftedPacket () securitynerds org]
> Sent: Friday, December 31, 2004 9:37 AM
> To: focus-ids () lists securityfocus com
> Subject: IDS event filtering
>
> I am wanting to get an idea of what you guys out there filter from
> your
> IDS sensors.  Some of the sensors I monitor get TONS of events for
> MSSQL
> control overflows.  If the customer is patched for slammer and does
> not
> have any SQL services on the internet, is it safe to filter out those
> events?  Do you still want to see that traffic even though you know
> your
> are not vulnerable?  Thanks!

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------