Re: on NIDS/NIPS tuning

[Martin Roesch <roesch () sourcefire com>]

I have two observations:

1) On this list you will find a high number of "tuners".  People on  
this list are obviously into this topic, so this is to be expected.

2) Generally speaking (and going by nearly 7 years of experience with  
people using Snort) I'd say that lots of people use their IDS's in  
their completely stock configuration.  Hell, we've even Snort users  
who auto-download rules updates and fire them up sight unseen,  
something that was shown pretty clearly a few years ago (pre- 
Sourcefire) when we checked a joke rule into CVS and got a bunch of  
pissed off emails from people who had auto-deployed them.

This is a real problem with detection technology in general, it takes  
a lot of expertise to tune effectively if you want to get a lot of  
value out of it.  That expertise is a fairly esoteric set of skills  
which is difficult to find in a lot of organizations.  Now obviously  
I have some real ideas about that topic, but that wasn't the point of  
this thread...

     -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Network Defense for the Real World - http:// 
www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - http:// 
www.snort.org




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------