RE: on NIDS/NIPS tuning

["David Kee" <templeofprs () hotmail com>]

I am curious to know what SIM product can handle un-tuned IDS alerts in 
addition to firewall logs, server logs, and application logs. How accurate 
is the list of message ID's and the message parsing? I doubt that there is a 
SIM vendor that has a correlation engine that can handle a fraction of the 
traffic in an average data-center or enterprise network. Can they provide 
packaged reporting and alert management? Flat-file or relational database? 
Don't forget about your SOC operators who have to manage the message queue 
and respond to all of the alerts. You can not just push traffic to a SIM and 
have it magically (and accurately) generate some golden nugget message. What 
are you using to gather vulnerability assessment information and how is the 
SIM correlating against that information? Valid alerts need to be measured 
against the vulnerability of the device/application (patch levels, 
hardening, etc).
> -----Original Message-----
> From: Kohlenberg, Toby [mailto:toby.kohlenberg () intel com]
> Sent: Monday, June 13, 2005 10:42 AM
> To: Hazel, Scott A.; focus-ids () securityfocus com
> Subject: RE: on NIDS/NIPS tuning
>
> I'd suggest that IDS(ips) tuning is still essential. Not only do
> rules/sigs
> need to be tuned but new sigs/rules need to be added to fit your
> environment.
>
> Where to tune is a very good question and not easily answered. I
> generally
> try to tune on the sensor first and on the SIM second. The idea being
> that I
> want to decrease the work the sensor has to do rather than just ignore
> it.
>
> That said, it's only reasonable to do that if you can be confident of
> reducing
> false positives without increasing false negatives at the same time.
>
> toby
>
> >-----Original Message-----
> >From: Hazel, Scott A. [mailto:Scott.Hazel () unisys com]
> >Sent: Saturday, June 11, 2005 9:20 PM
> >To: focus-ids () securityfocus com
> >Subject: RE: on NIDS/NIPS tuning
> >
> >This is a fundamental question we've been dealing with as well. By
> >default we tune the IDS. But when the SIM tool is thrown into the mix,
> >the question becomes where to tune. Theoretically, the SIM uses all the
> >data it sees to correlate attacks, attackers, trends in suspicious
> >activity, etc. If you tune what appears to be noise at the IDS, you
> >could potentially be tuning out data the SIM uses to correlate
> >and alert
> >on a higher quality event.
> >
> >Conversely, tuning out known FP's at the IDS should create a higher
> >quality data stream for the SIM to use. Logic points me to opening the
> >IDS and letting the SIM do the work. The SIM would also be where the
> >data was tuned. In the end, it seems you could go either way depending
> >on how you want your alerts served up to you and how much disk you've
> >got to hold all that data in the IDS.
> >
> >Thanks for starting this thread though. Tuning an IDS seems as much an
> >art as a science. I'm glad to see input on how the rest of you handle
> >it.
> >
> >Scott Hazel
> >
> >-----Original Message-----
> >From: Gary Halleen [mailto:ghalleen () cisco com]
> >Sent: Friday, June 10, 2005 4:17 PM
> >To: 'Drew Simonis'; 'Anton A. Chuvakin'; focus-ids () securityfocus com
> >Subject: RE: on NIDS/NIPS tuning
> >
> >I'm seeing many organizations now tuning not on the IDS, but on the SIM
> >product they're using for monitoring them.
> >
> >Gary
> >
> >
> >-----Original Message-----
> >From: Drew Simonis [mailto:simonis () myself com]
> >Sent: Friday, June 10, 2005 6:02 AM
> >To: Anton A. Chuvakin; focus-ids () securityfocus com
> >Subject: Re: on NIDS/NIPS tuning
> >
> >>
> >> All,
> >>
> >> I was thinking about some issues with IDS alerts (their volume, etc)
> >> and realized I could use some help from the list. It might
> >also be a
> >> fun discussion item.
> >>
> >> So, here it is: how many folks who buy/download a NIDS/NIPS actually
> >> tune it? Long time ago when I was asking this question the previous
> >> time, I was scared to learn that lots of people do not tune their
> >> NIDSs. Is it any better now?
> >>
> >
> >I know that, in my experience, many orgs don't tune at all.
> >The fear is
> >that they might do it wrong and thereby miss some important
> >event.  IMO,
> >this is a stupid way of thinking, but I bet it isn't as rare as it
> >should
> >be.
> >
> >In other cases, people do not tune and rely on a correlation engine or
> >MSS
> >to filter the events.  This is better, but really just moves the tuning
> >to a
> >different level.
> >
> >Personally, I tune sigs and also tailor the sig sets to the devices
> >being
> >monitored.  For example, if there are no webservers on a segment, I
> >might
> >not be as inclined to use sigs that check for Apache exploits.  I've
> >never
> >really measured the impact on the system vs. the administrative cost of
> >doing this, however, so it is quite possible I am wasting time for a
> >negligable benefit.
> >
> >On the tuning side, I believe that filters and exclusions
> >should be part
> >of
> >the incident response lifecycle.  If I am alerted to an event
> >by an IDS,
> >I
> >investigate and discover that the event was benign or did not take
> >place, a
> >filter should result, and thus be properly documented.
> >
> >-Ds
> >
> >--
> >___________________________________________________________
> >Sign-up for Ads Free at Mail.com
> >http://promo.mail.com/adsfreejump.htm
> >
> >
> >---------------------------------------------------------------
> >---------
> >--
> >Test Your IDS
> >
> >Is your IDS deployed correctly?
> >Find out quickly and easily by testing it with real-world attacks from
> >CORE IMPACT.
> >Go to
> >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> >
> >to learn more.
> >---------------------------------------------------------------
> >---------
> >--
> >
> >---------------------------------------------------------------
> >---------
> >--
> >Test Your IDS
> >
> >Is your IDS deployed correctly?
> >Find out quickly and easily by testing it with real-world attacks from
> >CORE IMPACT.
> >Go to
> >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> >
> >to learn more.
> >---------------------------------------------------------------
> >---------
> >--
> >
> >
> >---------------------------------------------------------------
> >-----------
> >Test Your IDS
> >
> >Is your IDS deployed correctly?
> >Find out quickly and easily by testing it with real-world attacks from
> >CORE IMPACT.
> >Go to
> >http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> >to learn more.
> >---------------------------------------------------------------
> >-----------
> >
> >
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------