Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: on NIDS/NIPS tuning

from [Phil Hollows] Network Security [Permanent Link]
Subject: RE: on NIDS/NIPS tuning
Date: Fri, 10 Jun 2005 16:15:23 -0400 
<snip>
For example, if there are no webservers on a segment, I might
not be as inclined to use sigs that check for Apache exploits
</snip>

The logic here is that you don't have a lock for the key being used.
But the information that you're still being attacked is still very
useful, even if the attack on the current segment will fail, because
then you can use that info to block your hypothetical attacker from
segments that DO have Apache.  If you ignore or tune out this
information you'll be reacting and behind the 8 ball when the attacker
finds those web servers, expensive and annoying, instead of having dealt
with him up front before any damage can be done when you had the chance.

Just a different perspective on the problem, but then I am a SIM vendor
(as is Anton, of course...)

FWIW 

Phil Hollows
 
Please note my updated contact information: OpenService is now at
www.openservice.com 

VP Security Products
OpenService, Inc.
www.openservice.com 
Blog: www.openservice.com/blogs 
 
 

-----Original Message-----
From: Drew Simonis [mailto:simonis@myself.com] 
Sent: Friday, June 10, 2005 9:02 AM
To: Anton A. Chuvakin; focus-ids@securityfocus.com
Subject: Re: on NIDS/NIPS tuning



All,

I was thinking about some issues with IDS alerts (their volume, etc)

and

realized I could use some help from the list. It might also be a  fun
discussion item.

So, here it is: how many folks who buy/download a NIDS/NIPS actually

tune

it? Long time ago when I was asking this question the previous time, I

was

scared to learn that lots of people do not tune their NIDSs. Is it any
better now?



I know that, in my experience, many orgs don't tune at all.  The fear is

that they might do it wrong and thereby miss some important event.  IMO,
this is a stupid way of thinking, but I bet it isn't as rare as it
should
be.  

In other cases, people do not tune and rely on a correlation engine or
MSS
to filter the events.  This is better, but really just moves the tuning
to 
a different level.

Personally, I tune sigs and also tailor the sig sets to the devices
being
monitored.  For example, if there are no webservers on a segment, I
might
not be as inclined to use sigs that check for Apache exploits.  I've
never
really measured the impact on the system vs. the administrative cost of 
doing this, however, so it is quite possible I am wasting time for a 
negligable benefit.  

On the tuning side, I believe that filters and exclusions should be part
of the incident response lifecycle.  If I am alerted to an event by an
IDS,
I investigate and discover that the event was benign or did not take
place,
a filter should result, and thus be properly documented.  

-Ds

-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: IDS\IPS that can handle one Gig, ian . bamford
Next by Date:  RE: on NIDS/NIPS tuning, Gary Halleen
Previous by Thread:  RE: on NIDS/NIPS tuning, M. Shirk
Next by Thread:  Re: on NIDS/NIPS tuning, Brent Stackhouse
Indexes:  [Date] [Thread] [Top] [All Lists]