I wonder if any one knows or would recommend, what signature(s) to tune when a customer asks for signature tuning. There is roughly 3000+ signatures, so which one to start with, and is there a common/best practice for signature tuning.
Appreciate your expertise.
Mike, I wish I had a easy answer for you, but like most things in life it takes hard work.
Signature tuning is somthing that should occur after an analysis is made of the event.
You can start by picking your heavy hitters and look into why those events are fireing.
Ask youself, are these events that I want to see? Are they REAL intrusions of are they false positivies? Are they actionable?
You can then disable signatures that provide no value to you, turn down the severity of those that you can;t do anything about but still want to know about (say scanning for example) and build filters for hosts you know are triggering signatures you want to keep active (like if you were running an vulneribility scanner in your network).
After time you would havea set of signatures and filters that matched the enviroment the sensor was placed in.
It's hard work, and you have to look at your packet captures to see what is happening, but this is how signatures are tuned.