IDS mailing list archives
Re: IDS event filtering
From: Jeff Kell <jeff-kell () utc edu>
Date: Fri, 31 Dec 2004 17:12:57 -0500
Billy Dodson wrote:
I am wanting to get an idea of what you guys out there filter from your IDS sensors. Some of the sensors I monitor get TONS of events for MSSQL control overflows. If the customer is patched for slammer and does not have any SQL services on the internet, is it safe to filter out those events? Do you still want to see that traffic even though you know your are not vulnerable? Thanks!
For your own purposes, you can certainly filter it up front, or have your IDS ignore the traffic -- with current levels of "background noise" on the net, you have to do this to preserve your sanity.
If, however, you are reporting events to a third-party monitoring service [i.e., you're acting as a "sensor"] such as DShield, Honeynet, MyNetWatchman, etc., you should try to preserve all possible events to provide a truly representative sample of the traffic.
Jeff -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: IDS event filtering Stef (Jan 03)
- <Possible follow-ups>
- RE: IDS event filtering dcdave (Jan 03)
- Re: IDS event filtering Reto Baumann (Jan 03)
- Re: IDS event filtering Jeff Kell (Jan 03)
- Re: IDS event filtering M. Dodge Mumford (Jan 03)
- RE: IDS event filtering Evans, Arian (Jan 03)
- Message not available
- RE: IDS event filtering (NeVO comments) Ron Gula (Jan 04)
- Message not available
- RE: IDS event filtering Phil Hollows (Jan 03)
- RE: IDS event filtering Ofer Shezaf (Jan 04)
- RE: IDS event filtering Phil Hollows (Jan 06)
- RE: IDS event filtering Phil Hollows (Jan 06)
- RE: IDS event filtering Ofer Shezaf (Jan 17)