Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: on NIDS/NIPS tuning

from [Kohlenberg, Toby] Network Security [Permanent Link]
Subject: RE: on NIDS/NIPS tuning
Date: Mon, 13 Jun 2005 10:42:25 -0700 
I'd suggest that IDS(ips) tuning is still essential. Not only do
rules/sigs
need to be tuned but new sigs/rules need to be added to fit your
environment.

Where to tune is a very good question and not easily answered. I
generally
try to tune on the sensor first and on the SIM second. The idea being
that I
want to decrease the work the sensor has to do rather than just ignore
it.

That said, it's only reasonable to do that if you can be confident of
reducing
false positives without increasing false negatives at the same time.

toby 


-----Original Message-----
From: Hazel, Scott A. [mailto:Scott.Hazel@unisys.com] 
Sent: Saturday, June 11, 2005 9:20 PM
To: focus-ids@securityfocus.com
Subject: RE: on NIDS/NIPS tuning

This is a fundamental question we've been dealing with as well. By
default we tune the IDS. But when the SIM tool is thrown into the mix,
the question becomes where to tune. Theoretically, the SIM uses all the
data it sees to correlate attacks, attackers, trends in suspicious
activity, etc. If you tune what appears to be noise at the IDS, you
could potentially be tuning out data the SIM uses to correlate 
and alert
on a higher quality event. 

Conversely, tuning out known FP's at the IDS should create a higher
quality data stream for the SIM to use. Logic points me to opening the
IDS and letting the SIM do the work. The SIM would also be where the
data was tuned. In the end, it seems you could go either way depending
on how you want your alerts served up to you and how much disk you've
got to hold all that data in the IDS. 

Thanks for starting this thread though. Tuning an IDS seems as much an
art as a science. I'm glad to see input on how the rest of you handle
it. 

Scott Hazel

-----Original Message-----
From: Gary Halleen [mailto:ghalleen@cisco.com] 
Sent: Friday, June 10, 2005 4:17 PM
To: 'Drew Simonis'; 'Anton A. Chuvakin'; focus-ids@securityfocus.com
Subject: RE: on NIDS/NIPS tuning

I'm seeing many organizations now tuning not on the IDS, but on the SIM
product they're using for monitoring them.

Gary


-----Original Message-----
From: Drew Simonis [mailto:simonis@myself.com] 
Sent: Friday, June 10, 2005 6:02 AM
To: Anton A. Chuvakin; focus-ids@securityfocus.com
Subject: Re: on NIDS/NIPS tuning



All,

I was thinking about some issues with IDS alerts (their volume, etc) 
and realized I could use some help from the list. It might 

also be a  

fun discussion item.

So, here it is: how many folks who buy/download a NIDS/NIPS actually 
tune it? Long time ago when I was asking this question the previous 
time, I was scared to learn that lots of people do not tune their 
NIDSs. Is it any better now?



I know that, in my experience, many orgs don't tune at all.  
The fear is
that they might do it wrong and thereby miss some important 
event.  IMO,
this is a stupid way of thinking, but I bet it isn't as rare as it
should
be.  

In other cases, people do not tune and rely on a correlation engine or
MSS
to filter the events.  This is better, but really just moves the tuning
to a
different level.

Personally, I tune sigs and also tailor the sig sets to the devices
being
monitored.  For example, if there are no webservers on a segment, I
might
not be as inclined to use sigs that check for Apache exploits.  I've
never
really measured the impact on the system vs. the administrative cost of
doing this, however, so it is quite possible I am wasting time for a
negligable benefit.  

On the tuning side, I believe that filters and exclusions 
should be part
of
the incident response lifecycle.  If I am alerted to an event 
by an IDS,
I
investigate and discover that the event was benign or did not take
place, a
filter should result, and thus be properly documented.  

-Ds

--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm


---------------------------------------------------------------
---------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
---------------------------------------------------------------
---------
--

---------------------------------------------------------------
---------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
---------------------------------------------------------------
---------
--


---------------------------------------------------------------
-----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
---------------------------------------------------------------
-----------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: on NIDS/NIPS tuning, Anton A. Chuvakin
Next by Date:  Re: Snort & iptables on the same box, Will Metcalf
Previous by Thread:  RE: on NIDS/NIPS tuning, Anton A. Chuvakin
Next by Thread:  RE: on NIDS/NIPS tuning, David Kee
Indexes:  [Date] [Thread] [Top] [All Lists]