IDS mailing list archives

Re: IDS Tuning

From: lucien Fransman <lucien.fransman () irc2 nl>
Date: Sun, 12 Mar 2006 11:50:48 +0100

On Thursday 09 March 2006 21:49, Naveen Sharma wrote:

Hi All,

What exactly is  IDS tuning ? Please provide steps to tune Snort.

Well,
IDS tuning is not something that is done in 10 minutes. 
To clarify:
Tuning an IDS can mean many things to many people. For example some people 
thing that tuning their system to deliver the maximum troughput and maximum 
performance by tweaking snort, the OS and the network configuration. Others 
would argue that you will get nowhere when not weeding out all the rules that 
give false positives in your network.

What it comes down to, in my opinion, is that when you tune snort, you 
customize the whole IDS environment (network, OS, snort installation, 
operator behind the console) to deliver the max out of your IDS environment.

With that philosophy, there isn't a couple of magic steps you can perform, but 
it is something that will differ from site to site.

Generally, take this into account:
- Let it run for a while with maxed out settings.
- Is network traffic dropped?  ( look at your network configuration. maybe you 
need to modify things there (multiple snort machines in line that check for 
different kinds of traffic)
- Is the machine overloaded in daily use? (tweak and tune the OS.)
- What alerts are false? (modify or remove rules that cause false alerts.) 
- What do you do when you get an alert? ( strict behavior for follow-up means 
less time spend per incident)
- do you feel there are other things that should be done to let things run 
smoother? 

Then you go back to one of the earlier steps, and repeat the procedure. 

As i said, these steps are in no way the panacea of IDS tuning, but they 
should get you started. Oh, and there are some good books out there that deal 
with deploying snort, and these books have great tips on what you should look 
at when tuning.

Anyway, an IDS that is not tuned/customized for your site might as well not be 
there, because in the long run no one will bother looking at the alerts, 
because 99% of the alerts will have no meaning to you. The 1% will just get 
lost in the massive amount of reported alerts.


Kind regards,

Enchanter_tim


Thanks in advance.

Cordial regards

Naveen



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

IDS Tuning Naveen Sharma (Mar 11)
- Re: IDS Tuning lucien Fransman (Mar 14)
- Re: IDS Tuning Devdas Bhagat (Mar 14)
- Re: IDS Tuning Joel Esler (Mar 20)
- <Possible follow-ups>
- RE: IDS Tuning Arun Vishwanathan (Mar 14)