IDS mailing list archives

RE: on NIDS/NIPS tuning

From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 9 Jun 2005 15:41:29 -0500

I tune my IDS sensors for rules that are giving me too many
false-positives, and for any vulnerability or security threat that isn't
addressed with the current rule-set.  I try to go over my rule-set and
configuration every couple of months.

Other than that, I have written a script that I can context.pl that
imports data from nessus scans and p0f profiles (data from these tools
are imported into a database by some custom scripts) and uses that
information to configure some of the variables and rules to attempt to
provide context for the system.  It is somewhat of a hacked together
"poor-mans" attempt at RNA.

-----Original Message-----
From: Anton A. Chuvakin [mailto:anton () chuvakin org] 
Sent: Thursday, June 09, 2005 12:01 PM
To: focus-ids () securityfocus com
Subject: on NIDS/NIPS tuning

All,

I was thinking about some issues with IDS alerts (their volume, etc) and
realized I could use some help from the list. It might also be a  fun
discussion item.

So, here it is: how many folks who buy/download a NIDS/NIPS actually
tune
it? Long time ago when I was asking this question the previous time, I
was
scared to learn that lots of people do not tune their NIDSs. Is it any
better now?

Best,
-- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.info-secure.org
   http://www.securitywarrior.com


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

Current thread:

on NIDS/NIPS tuning Anton A. Chuvakin (Jun 09)
- Re: on NIDS/NIPS tuning Ramon Kagan (Jun 10)
- Re: on NIDS/NIPS tuning Bob Huber (Jun 10)
  - Re: on NIDS/NIPS tuning Kevin Timm (Jun 10)
- RE: on NIDS/NIPS tuning Darren Webb (Jun 12)
- <Possible follow-ups>
- RE: on NIDS/NIPS tuning Joshua Berry (Jun 09)
- Re: on NIDS/NIPS tuning Jason Falciola (Jun 10)
  - Re: on NIDS/NIPS tuning Martin Roesch (Jun 12)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)
  - RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
    - Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)
- RE: on NIDS/NIPS tuning Phil Hollows (Jun 10)
- Re: on NIDS/NIPS tuning Brent Stackhouse (Jun 12)
- RE: on NIDS/NIPS tuning Hazel, Scott A. (Jun 12)
  - RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 14)

(Thread continues...)