Fine tuning IDS

Unanswered Question
Apr 16th, 2008

Hi,

we are going for tuning the IDS signature.No idea how to do it.

Please somebody suggest.

Thanking u

Navin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
attmidsteam Wed, 04/16/2008 - 09:59

Your post leaves much information to be desired. Do you want to tune a single signature or a group of signatures? Do you want to simply disable a signature, or do you want to change the summarization key or regex patterns? etc,etc,etc

Are you using the IDM, the sensor console CLI, or CSM? Each method varies wildly.

ankurs2008 Wed, 04/16/2008 - 23:57

Hi attmidsteam

I have a query regarding fine-tuning IDS Signatures . I am using old IDM (snapshots attached) .I wanto know if for a particular signature i want to disable the logging from specific source IP Range to destination IP Range , how to go about this in the same . Is it we do it via Event filter ?

I know how to do it in IDM 5 (we need to go to Event action filters and subtract the action ) .Kindly help me in

IDM 4

Regards

Ankur

Attachment: 
attmidsteam Thu, 04/17/2008 - 05:45

Yes, if you want a filter a specific signature from a certain source range to a certain destination range, you'll use an event filter.

navin_rk3 Fri, 04/18/2008 - 23:35

Hi Attmidsteam,

We got this new project recently,so we want fine tune or customize the signature as per our organisation traffic.

My Question is how to customize or how to use network tapps?

We are accessing the IDS through the IDM as well as CLI & we are not using CSM ,but monitored through the event viewer.

Please suggest.

Thanking u

Navin

rhermes Sat, 04/19/2008 - 06:24

Configuring an Event Filter (as suggested by attmidsteam) is a very different question from how to use a network tap.

Do you have traffic to monitor arriving at your sensor? If not, then you need to either use a network tap (instrouction provided by the vendor) or use a switch with port spanning enabled for promiscious sniffing. For inline traffic, you need to create per-interface or VLAN pairs and cable your network traffic to flow through you IPS.

The CLI and IDM steps for configuring an Event Filter can be found here:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml

navin_rk3 Sat, 04/19/2008 - 18:54

Hi Rhermes,

Already the network setup is there .We want to Fine tune the IDS using Network tap & the vendor is Cisco.

We don't know how to analyze the traffic? & Ids is in promiscous mode.

Please suggest.

Thank u

navin

attmidsteam Tue, 04/22/2008 - 12:59

I would suggest hiring a professional or outsourcing the security at this point. I can't explain how to be a competent security analyst in a paragraph. You'll want someone with a lot of security experience who can first profile your network based upon the devices/servers in use, and then conduct detailed analysis of the events that are generated to determine which are valid and which are false positives. This is typically a 24hr job as hackers/malware/botnets never sleep. Good luck.

Actions

This Discussion