IDS mailing list archives

Re: on NIDS/NIPS tuning

From: Ramon Kagan <rkagan () yorku ca>
Date: Fri, 10 Jun 2005 08:20:38 -0400 (EDT)

HI,

We continually keep our NIDS and NIPS tuned, adding new rules, removing
bad ones (false positives or just too heavy to run), etc.  I don't quite
see how one can do otherwise.  I just don't see how anyone can consider
either a Plug 'n Play solution.  In fact it would become a Plug 'n Pray
solution.

Ramon Kagan, GCIA
York University, Computing and Network Services
Information Security  -  Senior Information Security Analyst
(416)736-2100 #20263
rkagan () yorku ca

-----------------------------------   ------------------------------------
I have not failed.  I have just        I don't know the secret to success,
found 10,000 ways that don't work.     but the secret to failure is
                                       trying to please everybody.
        - Thomas Edison                         - Bill Cosby
-----------------------------------   ------------------------------------

On Thu, 9 Jun 2005, Anton A. Chuvakin wrote:

All,

I was thinking about some issues with IDS alerts (their volume, etc) and
realized I could use some help from the list. It might also be a  fun
discussion item.

So, here it is: how many folks who buy/download a NIDS/NIPS actually tune
it? Long time ago when I was asking this question the previous time, I was
scared to learn that lots of people do not tune their NIDSs. Is it any
better now?

Best,
--
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.info-secure.org
   http://www.securitywarrior.com


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

on NIDS/NIPS tuning Anton A. Chuvakin (Jun 09)
- Re: on NIDS/NIPS tuning Ramon Kagan (Jun 10)
- Re: on NIDS/NIPS tuning Bob Huber (Jun 10)
  - Re: on NIDS/NIPS tuning Kevin Timm (Jun 10)
- RE: on NIDS/NIPS tuning Darren Webb (Jun 12)
- <Possible follow-ups>
- RE: on NIDS/NIPS tuning Joshua Berry (Jun 09)
- Re: on NIDS/NIPS tuning Jason Falciola (Jun 10)
  - Re: on NIDS/NIPS tuning Martin Roesch (Jun 12)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)
  - RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
    - Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)

(Thread continues...)