attmidsteam Wed, 04/16/2008 - 09:59
User Badges:
  • Silver, 250 points or more

Your post leaves much information to be desired. Do you want to tune a single signature or a group of signatures? Do you want to simply disable a signature, or do you want to change the summarization key or regex patterns? etc,etc,etc


Are you using the IDM, the sensor console CLI, or CSM? Each method varies wildly.

ankurs2008 Wed, 04/16/2008 - 23:57
User Badges:

Hi attmidsteam


I have a query regarding fine-tuning IDS Signatures . I am using old IDM (snapshots attached) .I wanto know if for a particular signature i want to disable the logging from specific source IP Range to destination IP Range , how to go about this in the same . Is it we do it via Event filter ?


I know how to do it in IDM 5 (we need to go to Event action filters and subtract the action ) .Kindly help me in

IDM 4


Regards

Ankur



Attachment: 
attmidsteam Thu, 04/17/2008 - 05:45
User Badges:
  • Silver, 250 points or more

Yes, if you want a filter a specific signature from a certain source range to a certain destination range, you'll use an event filter.

navin_rk3 Fri, 04/18/2008 - 23:35
User Badges:

Hi Attmidsteam,


We got this new project recently,so we want fine tune or customize the signature as per our organisation traffic.


My Question is how to customize or how to use network tapps?


We are accessing the IDS through the IDM as well as CLI & we are not using CSM ,but monitored through the event viewer.


Please suggest.


Thanking u

Navin

rhermes Sat, 04/19/2008 - 06:24
User Badges:
  • Gold, 750 points or more

Configuring an Event Filter (as suggested by attmidsteam) is a very different question from how to use a network tap.

Do you have traffic to monitor arriving at your sensor? If not, then you need to either use a network tap (instrouction provided by the vendor) or use a switch with port spanning enabled for promiscious sniffing. For inline traffic, you need to create per-interface or VLAN pairs and cable your network traffic to flow through you IPS.

The CLI and IDM steps for configuring an Event Filter can be found here:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml


navin_rk3 Sat, 04/19/2008 - 18:54
User Badges:

Hi Rhermes,


Already the network setup is there .We want to Fine tune the IDS using Network tap & the vendor is Cisco.


We don't know how to analyze the traffic? & Ids is in promiscous mode.


Please suggest.


Thank u

navin

attmidsteam Tue, 04/22/2008 - 12:59
User Badges:
  • Silver, 250 points or more

I would suggest hiring a professional or outsourcing the security at this point. I can't explain how to be a competent security analyst in a paragraph. You'll want someone with a lot of security experience who can first profile your network based upon the devices/servers in use, and then conduct detailed analysis of the events that are generated to determine which are valid and which are false positives. This is typically a 24hr job as hackers/malware/botnets never sleep. Good luck.


Actions

This Discussion