Baselining or Soaking a Sensor

Unanswered Question
Jul 14th, 2008

When a bringing up a new sensor in a network typically how long should the sensor be allowed to baseline or soak for before tunning begins? Does cisco recommend a specific time period?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
attmidsteam Mon, 07/14/2008 - 07:07

We have a modified policy we use to start with but typically two weeks seems to be sufficient. That depends upon the sort of traffic you see, the placement of the sensor, and how busy it is. I could easily see spending an hour a day for several weeks tuning/profiling if this sensor was generating 50k events / day.

rhermes Mon, 07/14/2008 - 11:36

You can begin performing event analysis as soon as you plug your sensor into the network. This will allow you eliminate false positives and create filters for events you don't want to see again from a particular host/network. The more you tune your signatures, the higher the quality of events you will get from them.

The only aspect that might need any “soak” time is the dozen or so “anomaly engine signatures” The anomaly engine needs a day to a week to “learn” what is normal traffic on your network, but that isn't any reason to wait to begin signature tuning.


Actions

This Discussion