IDS mailing list archives
Re: IDS Tuning
From: lucien Fransman <lucien.fransman () irc2 nl>
Date: Sun, 12 Mar 2006 11:50:48 +0100
On Thursday 09 March 2006 21:49, Naveen Sharma wrote:
Hi All, What exactly is IDS tuning ? Please provide steps to tune Snort.
Well, IDS tuning is not something that is done in 10 minutes. To clarify: Tuning an IDS can mean many things to many people. For example some people thing that tuning their system to deliver the maximum troughput and maximum performance by tweaking snort, the OS and the network configuration. Others would argue that you will get nowhere when not weeding out all the rules that give false positives in your network. What it comes down to, in my opinion, is that when you tune snort, you customize the whole IDS environment (network, OS, snort installation, operator behind the console) to deliver the max out of your IDS environment. With that philosophy, there isn't a couple of magic steps you can perform, but it is something that will differ from site to site. Generally, take this into account: - Let it run for a while with maxed out settings. - Is network traffic dropped? ( look at your network configuration. maybe you need to modify things there (multiple snort machines in line that check for different kinds of traffic) - Is the machine overloaded in daily use? (tweak and tune the OS.) - What alerts are false? (modify or remove rules that cause false alerts.) - What do you do when you get an alert? ( strict behavior for follow-up means less time spend per incident) - do you feel there are other things that should be done to let things run smoother? Then you go back to one of the earlier steps, and repeat the procedure. As i said, these steps are in no way the panacea of IDS tuning, but they should get you started. Oh, and there are some good books out there that deal with deploying snort, and these books have great tips on what you should look at when tuning. Anyway, an IDS that is not tuned/customized for your site might as well not be there, because in the long run no one will bother looking at the alerts, because 99% of the alerts will have no meaning to you. The 1% will just get lost in the massive amount of reported alerts. Kind regards, Enchanter_tim
Thanks in advance. Cordial regards Naveen ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IDS Tuning Naveen Sharma (Mar 11)
- Re: IDS Tuning lucien Fransman (Mar 14)
- Re: IDS Tuning Devdas Bhagat (Mar 14)
- Re: IDS Tuning Joel Esler (Mar 20)
- <Possible follow-ups>
- RE: IDS Tuning Arun Vishwanathan (Mar 14)