IDS mailing list archives

Re: IDS Tuning

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 14 Mar 2006 00:13:32 +0530

On 10/03/06 07:49 +1100, Naveen Sharma wrote:

Hi All,

What exactly is  IDS tuning ? Please provide steps to tune Snort.


Homework assignment for a network administrator? Google is your friend,
but anyway:

IDS tuning is configuring the IDS to perform ideally in your
environment, with few false positives in the alerts generated.

Tuning Snort (or any other IDS):
You have two options -
1.a) Learn all about networking, the applications you run, and the state
of your network.
1.b) Learn to find bottlenecks in hardware.
1.c) Learn to write Snort signatures.
1.d) Tune Snort.

2.a) Define tuned parameters expected.
2.b) Hire expensive consultant to tune Snort
2.c) Pay consultant.
2.d) Keep consultant around to understand Snort output.

Nothing replaces the human brain and the ability to RTFM.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

IDS Tuning Naveen Sharma (Mar 11)
- Re: IDS Tuning lucien Fransman (Mar 14)
- Re: IDS Tuning Devdas Bhagat (Mar 14)
- Re: IDS Tuning Joel Esler (Mar 20)
- <Possible follow-ups>
- RE: IDS Tuning Arun Vishwanathan (Mar 14)