cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1087
Views
8
Helpful
7
Replies

Fine tuning IDS

navin_rk3
Level 1
Level 1

Hi,

we are going for tuning the IDS signature.No idea how to do it.

Please somebody suggest.

Thanking u

Navin

7 Replies 7

attmidsteam
Level 1
Level 1

Your post leaves much information to be desired. Do you want to tune a single signature or a group of signatures? Do you want to simply disable a signature, or do you want to change the summarization key or regex patterns? etc,etc,etc

Are you using the IDM, the sensor console CLI, or CSM? Each method varies wildly.

Hi attmidsteam

I have a query regarding fine-tuning IDS Signatures . I am using old IDM (snapshots attached) .I wanto know if for a particular signature i want to disable the logging from specific source IP Range to destination IP Range , how to go about this in the same . Is it we do it via Event filter ?

I know how to do it in IDM 5 (we need to go to Event action filters and subtract the action ) .Kindly help me in

IDM 4

Regards

Ankur

Yes, if you want a filter a specific signature from a certain source range to a certain destination range, you'll use an event filter.

Hi Attmidsteam,

We got this new project recently,so we want fine tune or customize the signature as per our organisation traffic.

My Question is how to customize or how to use network tapps?

We are accessing the IDS through the IDM as well as CLI & we are not using CSM ,but monitored through the event viewer.

Please suggest.

Thanking u

Navin

Configuring an Event Filter (as suggested by attmidsteam) is a very different question from how to use a network tap.

Do you have traffic to monitor arriving at your sensor? If not, then you need to either use a network tap (instrouction provided by the vendor) or use a switch with port spanning enabled for promiscious sniffing. For inline traffic, you need to create per-interface or VLAN pairs and cable your network traffic to flow through you IPS.

The CLI and IDM steps for configuring an Event Filter can be found here:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml

Hi Rhermes,

Already the network setup is there .We want to Fine tune the IDS using Network tap & the vendor is Cisco.

We don't know how to analyze the traffic? & Ids is in promiscous mode.

Please suggest.

Thank u

navin

I would suggest hiring a professional or outsourcing the security at this point. I can't explain how to be a competent security analyst in a paragraph. You'll want someone with a lot of security experience who can first profile your network based upon the devices/servers in use, and then conduct detailed analysis of the events that are generated to determine which are valid and which are false positives. This is typically a 24hr job as hackers/malware/botnets never sleep. Good luck.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: