Hey Anton,
Yup, I always tune, whether using ISS, Cisco, or
McAfee. Don't see how you can avoid it and still get
what you want. Even when using a SIM with Cisco IPS,
I still have to make sure the "right" signatures are
enabled, since Cisco's sig updates don't enable all of
them by default (and I may pick different ones to
enable than Cisco did). A SIM doesn't change that
step, at least not the Cisco MARS product I've been
using recently.
Brent Stackhouse, GSEC/GCIH
Date: Thu, 9 Jun 2005 13:01:20 -0400 (EDT)
From: "Anton A. Chuvakin" <anton@chuvakin.org>
To: focus-ids@securityfocus.com
Subject: on NIDS/NIPS tuning
All,
I was thinking about some issues with IDS alerts
(their volume, etc) and
realized I could use some help from the list. It
might also be a fun
discussion item.
So, here it is: how many folks who buy/download a
NIDS/NIPS actually tune
it? Long time ago when I was asking this question
the previous time, I was
scared to learn that lots of people do not tune
their NIDSs. Is it any
better now?
Best,
--
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.info-secure.org
http://www.securitywarrior.com
__________________________________
Discover Yahoo!
Find restaurants, movies, travel and more fun for the weekend. Check it out!
http://discover.yahoo.com/weekend.html
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
