IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS event filtering

From: Jeff Kell <jeff-kell () utc edu>
Date: Fri, 31 Dec 2004 17:12:57 -0500
Billy Dodson wrote:

I am wanting to get an idea of what you guys out there filter from your
IDS sensors.  Some of the sensors I monitor get TONS of events for MSSQL
control overflows.  If the customer is patched for slammer and does not
have any SQL services on the internet, is it safe to filter out those
events?  Do you still want to see that traffic even though you know your
are not vulnerable?  Thanks!
For your own purposes, you can certainly filter it up front, or have your IDS ignore the traffic -- with current levels of "background noise" on the net, you have to do this to preserve your sanity.
If, however, you are reporting events to a third-party monitoring service [i.e., you're acting as a "sensor"] such as DShield, Honeynet, MyNetWatchman, etc., you should try to preserve all possible events to provide a truly representative sample of the traffic. 

Jeff

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: