MARS/IPS Signature Tuning

Wilson Samuel · ‎06-18-2007

Hi,

We have got a deployment of IPS v6 with MARS which is thus far quite effective in mitigating most of the issues.

However I'm bit stuck with a scenario and require help, my question goes as below:-

1. For all the TCP based attacks, I guess the best way to defend is to issue a TCP Reset to the Router or PIX, however, oflately I guess more and more attacks (being reported) is of Port Sweep (TCP and ICMP) and that of many worms trying to get propaged using the ICMP.

So in these circumstances, what should be my mitigation strategy? Should I consider shunning? but, shunning doesnt look like practical as the number of hosts originating the attacks are numerous...

2. Once MARS/IPS combo is deployed, should the mitigation strategy always be deployed from the MARS appliance (just like once NMS / LMS is in place we encourage all the configurations to be deployed from LMS only) or should I continue to fine tune the Signatures / Release IDs on the individual IPS Appliancees?

Any help would be greatly appreciated.

Kind Regards,

Wilson Samuel

mhellman · ‎06-19-2007

"For all the TCP based attacks, I guess the best way to defend is to issue a TCP Reset to the Router or PIX"

relative to IDS/IPS, the best way is to simply drop the traffic (i.e. have the sensor inline).

"lately I guess more and more attacks (being reported) is of Port Sweep (TCP and ICMP) and that of many worms trying to get propaged using the ICMP. "

Personally, I don't worry too much about this kind of traffic. If you get too aggressive trying to prevent it, you will open yourself up to a DoS attack.

"Once MARS/IPS combo is deployed, should the mitigation strategy always be deployed from the MARS appliance"

I don't believe MARS can do more than layer 2 mitigation(think switch port). Otherwise it merely recommends where and what to do.

Wilson Samuel · ‎06-19-2007

"don't believe MARS can do more than layer 2 mitigation(think switch port). Otherwise it merely recommends where and what to do."

We do recieve huge number of MAil Alerts, and at present I just ignore most of them, but would definitly like to tune the MARS in a way that, should mail me whenever its really a threat, so going by your words, it should be configured in way that a particular rate of threat say above 90 is hit more than 10 in numbers in a given time frame, it should mail me?

Correct, please help me fine tune this riddle...

Regards,

Wilson Samuel

mhellman · ‎06-19-2007

I wish I could say that I'm confident enough in MARS(or any SIM) to be able to do that effectively...I'm not. It's a lot of work to maintain a SIM system where incidents (all incidents) are meaningful and to create an expectation that they will all be investigated. The approach we took is to tune,tune,tune out the false positives. We do a lot of tuning on the sensors themselves. We do some in MARS too. If you have thousands and thousands of crap incidents in the queue, your analyst are going to lose interest fast and miss the important stuff.

Wilson Samuel · ‎06-19-2007

Ok, got it, the only way out is to 'tune it until eternity...."

Now, I have always thought, whether tune individual IPS/IDS Sensors or tune the MARS directly?

Infact, whenever doing any signature update we can tune those signatures then and there if the number of Sensors are like 1 or 2 but having more than 2 would be difficult.

So, would it be a good idea to tune everything in the MARS itself?

Please let me know your views.

Regards,

Wilson Samuel

mhellman · ‎06-19-2007

that comes down to personal preference. We have a tool for tuning sigs on multiple sensors, so that's how we do it. Tuning in MARS is okay too, but can lead to a bit of a mess over time because neither inspection nor drop rules can ever be deleted, only inactivated.