Best Practices document on tunning an IPS 4240

Unanswered Question
Mar 1st, 2007

Hey,

While working on tunning an IPS 4240 for one of my customers, he told me he'd heard of a Best Practices document on tunning the IPS. More on how to tune the appliance, the document talks about which signatures should be enabled, and the best action to configure for these. I've searched for about two weeks now, but have had no luck.

Have you ran accross such doc? Do you know of any other info source that can assist with "official" info about signatures/actions to enable on a sensor according to Cisco's experience?

Many thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.

I have not seen a best practices document. We've been using Cisco IDS/IPS since we bought our first 4230 a few years back. We have found that the smart approach for us, when installing IDS into a new network or installing a new IDS into an existing network, is to leave signatures "on" and "produce alert" for the first few weeks, and verify after watching traffic.

Generally, if the bulk of traffic triggering a particular signature is obviously false-positive, for whatever reason, we will disable that signature as it's unreliable. If only a small amount is false-positive, and the bulk of it is legitimate badguy traffic, we will apply overrides as necessary, and block host/tcp reset on the rest.

We have actually written our own interface which works on the IDS Event Viewer software provided by Cisco -- Cisco's software puts all the events into a MySQL database, and we've written our own PHP-based interface to that database, with hooks added for automated and semi-automated reporting to netblock owners. This interface helps the decisionmaking process.

bberry Mon, 03/26/2007 - 08:38

How do you figure out what is bad guy traffic? I have an IDS 4215 that I am tuning.

I have added a HTTP_PROXY filter to pull out false positives generated by our proxy server. The majority I am seeing now appear to be centered around out STMP mail servers.

Actions

This Discussion