Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS Tuning

from [lucien Fransman] Network Security [Permanent Link]
Subject: Re: IDS Tuning
Date: Sun, 12 Mar 2006 11:50:48 +0100 
On Thursday 09 March 2006 21:49, Naveen Sharma wrote:

Hi All,

What exactly is  IDS tuning ? Please provide steps to tune Snort.

Well,
IDS tuning is not something that is done in 10 minutes. 
To clarify:
Tuning an IDS can mean many things to many people. For example some people 
thing that tuning their system to deliver the maximum troughput and maximum 
performance by tweaking snort, the OS and the network configuration. Others 
would argue that you will get nowhere when not weeding out all the rules that 
give false positives in your network.

What it comes down to, in my opinion, is that when you tune snort, you 
customize the whole IDS environment (network, OS, snort installation, 
operator behind the console) to deliver the max out of your IDS environment.

With that philosophy, there isn't a couple of magic steps you can perform, but 
it is something that will differ from site to site.

Generally, take this into account:
- Let it run for a while with maxed out settings.
- Is network traffic dropped?  ( look at your network configuration. maybe you 
need to modify things there (multiple snort machines in line that check for 
different kinds of traffic)
- Is the machine overloaded in daily use? (tweak and tune the OS.)
- What alerts are false? (modify or remove rules that cause false alerts.) 
- What do you do when you get an alert? ( strict behavior for follow-up means 
less time spend per incident)
- do you feel there are other things that should be done to let things run 
smoother? 

Then you go back to one of the earlier steps, and repeat the procedure. 

As i said, these steps are in no way the panacea of IDS tuning, but they 
should get you started. Oh, and there are some good books out there that deal 
with deploying snort, and these books have great tips on what you should look 
at when tuning.

Anyway, an IDS that is not tuned/customized for your site might as well not be 
there, because in the long run no one will bother looking at the alerts, 
because 99% of the alerts will have no meaning to you. The 1% will just get 
lost in the massive amount of reported alerts.


Kind regards,

Enchanter_tim



Thanks in advance.

Cordial regards

Naveen



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS Tuning, Arun Vishwanathan
Next by Date:  RE: RE: IPS Reliability/Availability, Mike Barkett
Previous by Thread:  IDS Tuning, Naveen Sharma
Next by Thread:  Re: IDS Tuning, Devdas Bhagat
Indexes:  [Date] [Thread] [Top] [All Lists]