cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
459
Views
0
Helpful
2
Replies

Baselining or Soaking a Sensor

niall-wilkins
Level 1
Level 1

When a bringing up a new sensor in a network typically how long should the sensor be allowed to baseline or soak for before tunning begins? Does cisco recommend a specific time period?

2 Replies 2

attmidsteam
Level 1
Level 1

We have a modified policy we use to start with but typically two weeks seems to be sufficient. That depends upon the sort of traffic you see, the placement of the sensor, and how busy it is. I could easily see spending an hour a day for several weeks tuning/profiling if this sensor was generating 50k events / day.

You can begin performing event analysis as soon as you plug your sensor into the network. This will allow you eliminate false positives and create filters for events you don't want to see again from a particular host/network. The more you tune your signatures, the higher the quality of events you will get from them.

The only aspect that might need any “soak” time is the dozen or so “anomaly engine signatures” The anomaly engine needs a day to a week to “learn” what is normal traffic on your network, but that isn't any reason to wait to begin signature tuning.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: