07-14-2008 04:57 AM - edited 03-10-2019 04:11 AM
When a bringing up a new sensor in a network typically how long should the sensor be allowed to baseline or soak for before tunning begins? Does cisco recommend a specific time period?
07-14-2008 07:07 AM
We have a modified policy we use to start with but typically two weeks seems to be sufficient. That depends upon the sort of traffic you see, the placement of the sensor, and how busy it is. I could easily see spending an hour a day for several weeks tuning/profiling if this sensor was generating 50k events / day.
07-14-2008 11:36 AM
You can begin performing event analysis as soon as you plug your sensor into the network. This will allow you eliminate false positives and create filters for events you don't want to see again from a particular host/network. The more you tune your signatures, the higher the quality of events you will get from them.
The only aspect that might need any âsoakâ time is the dozen or so âanomaly engine signaturesâ The anomaly engine needs a day to a week to âlearnâ what is normal traffic on your network, but that isn't any reason to wait to begin signature tuning.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: