IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Recommended IPS signature set

From: "Yahsodhan Deshpande" <yahsodhan.deshpande () nevisnetworks com>
Date: Mon, 10 Dec 2007 10:12:25 -0800
Most of the 'Out-of-box' configurations are such that their device
performs better.

So they would disable the signatures which would affect the performance.
You would observe that most of the signatures where pattern matching is
involved per packet (independent of the flow, or specific port number)
would always be disabled.

Other reason for disabling non critical signatures is that some of the
devices have limit on number of patterns that can be loaded in the fast
memory, without the need of swapping out. Thus they try to limit the
number of patterns by tuning the number of signatures.

Some of the signatures are disabled because of high rate of false
positives.

Although none of the products would say the above, that is the primary
reason.

Any ways it is better to tune the IDS/IPS device as per individual
environment so as to get maximum performance and less false positives.


Regards,
Yashodhan


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ravi Chunduru
Sent: Saturday, December 08, 2007 8:17 AM
To: focus-ids () securityfocus com
Subject: Recommended IPS signature set

i understand from several emails in this list is that UTM or IPS
devices enable only subset of signatures for detection as well as
blocking - it is being termed as 'sane IPS', 'out-of-box IPS' ,
recommended etc..

is there any criteria (standard or non-standard) used in categorizing
signature as 'recommended'?  is it based on CVE priority?

Thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: