IDS mailing list archives

Re: on NIDS/NIPS tuning

From: Bob Huber <roberthuberjr () yahoo com>
Date: Thu, 9 Jun 2005 17:21:58 -0700 (PDT)

We spend a considerable amount of time tuning our IDS
(100+).  It allows us to quickly focus on 'meatier'
events.  Having quite a few IDS, with many on the
internal network, most of the tuning is for normal
network traffic, SNMP, ICMP, DNS, SMTP etc..  Our
tuning is fairly fine-grained, by protocol, by src/dst
ip or src and dst net.  We lock it down as best we
can.  And since we are audited, we also comment all of
the filtering we perform.  The downside, and something
I would like to see the IDS/IPS vendors add into their
functionality, time stamp the filter entries and
record the most recent time the filter has fired so we
can remove the filter if it is no longer in use.

I've spoken with quite a few organizations myself that
just turn IDS on and forget about it.  I'm sure some
folks even use SIM as a crutch in this instance, using
it to reduce events..Shame..But only so many people
like running tcpdump and going through packet captures
I guess, others just look for the blinking red lights.

A side benefit to tuning, you learn your network
pretty well which helps when things get hairy.

Bob
--- "Anton A. Chuvakin" <anton () chuvakin org> wrote:

All,

I was thinking about some issues with IDS alerts
(their volume, etc) and
realized I could use some help from the list. It
might also be a  fun
discussion item.

So, here it is: how many folks who buy/download a
NIDS/NIPS actually tune
it? Long time ago when I was asking this question
the previous time, I was
scared to learn that lots of people do not tune
their NIDSs. Is it any
better now?

Best,
-- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA



                
__________________________________ 
Discover Yahoo! 
Find restaurants, movies, travel and more fun for the weekend. Check it out! 
http://discover.yahoo.com/weekend.html 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

on NIDS/NIPS tuning Anton A. Chuvakin (Jun 09)
- Re: on NIDS/NIPS tuning Ramon Kagan (Jun 10)
- Re: on NIDS/NIPS tuning Bob Huber (Jun 10)
  - Re: on NIDS/NIPS tuning Kevin Timm (Jun 10)
- RE: on NIDS/NIPS tuning Darren Webb (Jun 12)
- <Possible follow-ups>
- RE: on NIDS/NIPS tuning Joshua Berry (Jun 09)
- Re: on NIDS/NIPS tuning Jason Falciola (Jun 10)
  - Re: on NIDS/NIPS tuning Martin Roesch (Jun 12)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)
  - RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
    - Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)
- RE: on NIDS/NIPS tuning Phil Hollows (Jun 10)

(Thread continues...)