Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: on NIDS/NIPS tuning

from [Bob Huber] Network Security [Permanent Link]
Subject: Re: on NIDS/NIPS tuning
Date: Thu, 9 Jun 2005 17:21:58 -0700 (PDT) 
We spend a considerable amount of time tuning our IDS
(100+).  It allows us to quickly focus on 'meatier'
events.  Having quite a few IDS, with many on the
internal network, most of the tuning is for normal
network traffic, SNMP, ICMP, DNS, SMTP etc..  Our
tuning is fairly fine-grained, by protocol, by src/dst
ip or src and dst net.  We lock it down as best we
can.  And since we are audited, we also comment all of
the filtering we perform.  The downside, and something
I would like to see the IDS/IPS vendors add into their
functionality, time stamp the filter entries and
record the most recent time the filter has fired so we
can remove the filter if it is no longer in use.

I've spoken with quite a few organizations myself that
just turn IDS on and forget about it.  I'm sure some
folks even use SIM as a crutch in this instance, using
it to reduce events..Shame..But only so many people
like running tcpdump and going through packet captures
I guess, others just look for the blinking red lights.

A side benefit to tuning, you learn your network
pretty well which helps when things get hairy.

Bob
--- "Anton A. Chuvakin" <anton@chuvakin.org> wrote:


All,

I was thinking about some issues with IDS alerts
(their volume, etc) and
realized I could use some help from the list. It
might also be a  fun
discussion item.

So, here it is: how many folks who buy/download a
NIDS/NIPS actually tune
it? Long time ago when I was asking this question
the previous time, I was
scared to learn that lots of people do not tune
their NIDSs. Is it any
better now?

Best,
-- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA



                
__________________________________ 
Discover Yahoo! 
Find restaurants, movies, travel and more fun for the weekend. Check it out! 
http://discover.yahoo.com/weekend.html 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: on NIDS/NIPS tuning, M. Shirk
Next by Date:  Re: RE: IDS\IPS that can handle one Gig, ian . bamford
Previous by Thread:  Re: on NIDS/NIPS tuning, Ramon Kagan
Next by Thread:  Re: on NIDS/NIPS tuning, Kevin Timm
Indexes:  [Date] [Thread] [Top] [All Lists]