IDS mailing list archives
RE: on NIDS/NIPS tuning
From: "M. Shirk" <shirkdog_list () hotmail com>
Date: Fri, 10 Jun 2005 11:11:04 -0400
About a year ago, a client wanted ALL alerts with absolutely no filtering. This presented a problem for the analysts as there were 100,000+ events per day. We had to actually filter out events that were false positives and false alarms from the analysts' displays while still logging the events to a DB. There was a lot of wasted time on trying to archive and work with the DB when we could have just filtered the traffic.
That is the worst I can think of. In other environments, the sensors were tuned and regularly tested and were basically the analysts' best friends.
:-) Shirkdog http://www.shirkdog.us
From: "Anton A. Chuvakin" <anton () chuvakin org>
To: focus-ids () securityfocus com
Subject: on NIDS/NIPS tuning
Date: Thu, 9 Jun 2005 13:01:20 -0400 (EDT)
All,
I was thinking about some issues with IDS alerts (their volume, etc) and
realized I could use some help from the list. It might also be a fun
discussion item.
So, here it is: how many folks who buy/download a NIDS/NIPS actually tune
it? Long time ago when I was asking this question the previous time, I was
scared to learn that lots of people do not tune their NIDSs. Is it any
better now?
Best,
--
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.info-secure.org
http://www.securitywarrior.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
_________________________________________________________________Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: on NIDS/NIPS tuning, (continued)
- Re: on NIDS/NIPS tuning Ramon Kagan (Jun 10)
- Re: on NIDS/NIPS tuning Bob Huber (Jun 10)
- Re: on NIDS/NIPS tuning Kevin Timm (Jun 10)
- RE: on NIDS/NIPS tuning Darren Webb (Jun 12)
- RE: on NIDS/NIPS tuning Joshua Berry (Jun 09)
- Re: on NIDS/NIPS tuning Jason Falciola (Jun 10)
- Re: on NIDS/NIPS tuning Martin Roesch (Jun 12)
- Re: on NIDS/NIPS tuning Drew Simonis (Jun 10)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- Re: on NIDS/NIPS tuning Adam Powers (Jun 12)
- RE: on NIDS/NIPS tuning Gary Halleen (Jun 10)
- RE: on NIDS/NIPS tuning M. Shirk (Jun 10)
- RE: on NIDS/NIPS tuning Phil Hollows (Jun 10)
- Re: on NIDS/NIPS tuning Brent Stackhouse (Jun 12)
- RE: on NIDS/NIPS tuning Hazel, Scott A. (Jun 12)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 14)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 14)
- RE: on NIDS/NIPS tuning David Kee (Jun 14)
- Re: on NIDS/NIPS tuning Raffael Marty (Jun 15)
- RE: on NIDS/NIPS tuning Anton A. Chuvakin (Jun 16)
- RE: on NIDS/NIPS tuning Kohlenberg, Toby (Jun 16)
- RE: on NIDS/NIPS tuning Gary Halleen (ghalleen) (Jun 16)