IDS mailing list archives
RE: on NIDS/NIPS tuning
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Mon, 13 Jun 2005 18:21:49 -0400 (EDT)
All, OMG, this discussion actually went in the direction I meant it to go (towards SIM) without me driving it there ... Just for list's entertainment value, I do run my NIDSs with all sigs enabled and (oh horror!) my Snorts do autodownload from snort.org *and* bleedingsnort. Am I an idiot? :-) No, I design next-generation correlation technology.
Theoretically, the SIM uses all the data it sees to correlate attacks, attackers, trends in suspicious activity, etc. If you tune what appears to be noise at the IDS, you could potentially be tuning out data the SIM uses to correlate and alert on a higher quality event. Conversely, tuning out known FP's at the IDS should create a higher quality data stream for the SIM to use. Logic points me to opening the IDS and letting the SIM do the work. The SIM would also be where the
The above excerpt from Scott Hazel post is pretty much what I wanted to
say next :-) More NIDS data for SIM to chew on vs higher-quality data
stream from well-tuned NIDSs is a very good question. Now, I do see this
problem not necessarily as "where to tune - on NIDS or on SIM", but more
like "how to best use SIM to help the ailing NIDSs and soon-to-be-ailing
NIPSes". In addition, one has to tune NIPS on a NIPS today (for inline
blocking action to happen), unless you plan to use SIM correlation to make
those blocking decisions on a NIPS (can be done in the future).
As it happens, I prefer more data to be available for a SIM. And, if your
SIM is really good, it should be able to work well you under the
circumstances. Now, those classic "false positives" where NIDS is 'just
plain wrong' might not add any value to SIM's view of the network, but, on
the other hand, SIM will help you deprioritize them. However, other types
of what is often seen as "false alarms" do actually help SIM
decision-making quite often. In addition, a big pool of those "false"
messages sometimes can be mined for some hidden gems. given the right
technology.
Best,
--
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.info-secure.org
http://www.securitywarrior.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Current thread:
- RE: on NIDS/NIPS tuning, (continued)
- RE: on NIDS/NIPS tuning Joshua Berry (Jun 09)
- Re: on NIDS/NIPS tuning Jason Falciola (Jun 10)
- Re: on NIDS/NIPS tuning Martin Roesch (Jun 12)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)
- RE: on NIDS/NIPS tuning Phil Hollows (Jun 10)
- Re: on NIDS/NIPS tuning Brent Stackhouse (Jun 12)
- RE: on NIDS/NIPS tuning Hazel, Scott A. (Jun 12)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 14)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 14)
- RE: on NIDS/NIPS tuning David Kee (Jun 14)
- Re: on NIDS/NIPS tuning Raffael Marty (Jun 15)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 16)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 16)
- RE: on NIDS/NIPS tuning Gary Halleen (ghalleen) (Jun 16)