Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: on NIDS/NIPS tuning

from [Anton A. Chuvakin] Network Security [Permanent Link]
Subject: RE: on NIDS/NIPS tuning
Date: Mon, 13 Jun 2005 18:21:49 -0400 (EDT) 
All,

OMG, this discussion actually went in the direction I meant it to go
(towards SIM)  without me driving it there ...

Just for list's entertainment value, I do run my NIDSs with all sigs
enabled and (oh horror!) my Snorts do autodownload from snort.org *and*
bleedingsnort. Am I an idiot? :-) No, I design next-generation correlation
technology.


Theoretically, the SIM uses all the data it sees to correlate attacks,
attackers, trends in suspicious activity, etc. If you tune what appears
to be noise at the IDS, you could potentially be tuning out data the SIM
uses to correlate and alert on a higher quality event.

Conversely, tuning out known FP's at the IDS should create a higher
quality data stream for the SIM to use. Logic points me to opening the
IDS and letting the SIM do the work. The SIM would also be where the


The above excerpt from Scott Hazel post is pretty much what I wanted to
say next :-) More NIDS data for SIM to chew on vs higher-quality data
stream from well-tuned NIDSs is a very good question. Now, I do see this
problem not necessarily as "where to tune - on NIDS or on SIM", but more
like "how to best use SIM to help the ailing NIDSs and soon-to-be-ailing
NIPSes". In addition, one has to tune NIPS on a NIPS today (for inline
blocking action to happen), unless you plan to use SIM correlation to make
those blocking decisions on a NIPS (can be done in the future).

As it happens, I prefer more data to be available for a SIM. And, if your
SIM is really good, it should be able to work well you under the
circumstances. Now, those classic "false positives" where NIDS is 'just
plain wrong' might not add any value to SIM's view of the network, but, on
the other hand, SIM will help you deprioritize them. However, other types
of what is often seen as "false alarms" do actually help SIM
decision-making quite often. In addition, a big pool of those "false"
messages sometimes can be mined for some hidden gems. given the right
technology.

Best,
-- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.info-secure.org
   http://www.securitywarrior.com



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  BASE 1.1.3 release, Kevin Johnson
Next by Date:  RE: on NIDS/NIPS tuning, Kohlenberg, Toby
Previous by Thread:  RE: on NIDS/NIPS tuning, Hazel, Scott A.
Next by Thread:  RE: on NIDS/NIPS tuning, Kohlenberg, Toby
Indexes:  [Date] [Thread] [Top] [All Lists]