Educause Security Discussion mailing list archives
Re: IPS signature update process
From: Mike Peterson <mikep () NOC UTORONTO CA>
Date: Tue, 18 Aug 2009 16:26:40 -0400
We are currently trying to formalize a process for updating our IPS signatures. I was looking to see what other people out there are doing. Management would like to incorporate a review committee to help ensure legitimate traffic doesn't get blocked. I'm struggling to come up with a model that would incorporate this.
I used to review the signature update before applying it, but am now just having the IPS apply immediately/automatically any updates it receives. We've only had 1 "recommended for blocking" rule cause any problems in 4+ years, and I don't think the affect user(s) ever even noticed. We look over the non-blocking rules for a few weeks before activating them for blocking to check for false positives; we haven't activated many of them (mainly some types of host/port scanning and username/password brute forcing). The complete set of active rules (blocking and non-blocking) and daily/weekly reports are posted on our internal web site so concerned users can check what the IPS is doing, and we have a site where an IP address can be looked up to see what IPS rules it has triggered in the past 2 months. Mike -- Mike Peterson -- Network Security Specialist -- Computer and Network Services E-mail: mikep () noc utoronto ca WWW: http://www.noc.utoronto.ca/ Tel: 416-978-5230 Fax: 416-971-1362
Current thread:
- IPS signature update process Fields, Kimberly (Aug 17)
- <Possible follow-ups>
- Re: IPS signature update process Michael Grinnell (Aug 17)
- Re: IPS signature update process Bradley, Stephen W. Mr. (Aug 18)
- Re: IPS signature update process Gary Dobbins (Aug 18)
- Re: IPS signature update process Mike Peterson (Aug 18)
- Re: IPS signature update process Chris Green (Aug 19)