IDS mailing list archives
RE: on NIDS/NIPS tuning
From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 9 Jun 2005 15:41:29 -0500
I tune my IDS sensors for rules that are giving me too many false-positives, and for any vulnerability or security threat that isn't addressed with the current rule-set. I try to go over my rule-set and configuration every couple of months. Other than that, I have written a script that I can context.pl that imports data from nessus scans and p0f profiles (data from these tools are imported into a database by some custom scripts) and uses that information to configure some of the variables and rules to attempt to provide context for the system. It is somewhat of a hacked together "poor-mans" attempt at RNA. -----Original Message----- From: Anton A. Chuvakin [mailto:anton () chuvakin org] Sent: Thursday, June 09, 2005 12:01 PM To: focus-ids () securityfocus com Subject: on NIDS/NIPS tuning All, I was thinking about some issues with IDS alerts (their volume, etc) and realized I could use some help from the list. It might also be a fun discussion item. So, here it is: how many folks who buy/download a NIDS/NIPS actually tune it? Long time ago when I was asking this question the previous time, I was scared to learn that lots of people do not tune their NIDSs. Is it any better now? Best, -- Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.info-secure.org http://www.securitywarrior.com ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- on NIDS/NIPS tuning Anton A. Chuvakin (Jun 09)
- Re: on NIDS/NIPS tuning Ramon Kagan (Jun 10)
- Re: on NIDS/NIPS tuning Bob Huber (Jun 10)
- Re: on NIDS/NIPS tuning Kevin Timm (Jun 10)
- RE: on NIDS/NIPS tuning Darren Webb (Jun 12)
- <Possible follow-ups>
- RE: on NIDS/NIPS tuning Joshua Berry (Jun 09)
- Re: on NIDS/NIPS tuning Jason Falciola (Jun 10)
- Re: on NIDS/NIPS tuning Martin Roesch (Jun 12)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)
- RE: on NIDS/NIPS tuning Phil Hollows (Jun 10)
- Re: on NIDS/NIPS tuning Brent Stackhouse (Jun 12)
- RE: on NIDS/NIPS tuning Hazel, Scott A. (Jun 12)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 14)
(Thread continues...)