09-10-2010 11:15 AM - edited 03-10-2019 05:07 AM
Hi,
I wonder if any one knows or would recommend, what signature(s) to tune when a customer asks for signature tuning. There is roughly 3000+ signatures, so which one to start with, and is there a common/best practice for signature tuning.
Appreciate your expertise.
Mike
Solved! Go to Solution.
09-10-2010 01:13 PM
Mike, I wish I had a easy answer for you, but like most things in life it takes hard work.
Signature tuning is somthing that should occur after an analysis is made of the event.
You can start by picking your heavy hitters and look into why those events are fireing.
Ask youself, are these events that I want to see? Are they REAL intrusions of are they false positivies? Are they actionable?
You can then disable signatures that provide no value to you, turn down the severity of those that you can;t do anything about but still want to know about (say scanning for example) and build filters for hosts you know are triggering signatures you want to keep active (like if you were running an vulneribility scanner in your network).
After time you would havea set of signatures and filters that matched the enviroment the sensor was placed in.
It's hard work, and you have to look at your packet captures to see what is happening, but this is how signatures are tuned.
- Bob
09-10-2010 01:13 PM
Mike, I wish I had a easy answer for you, but like most things in life it takes hard work.
Signature tuning is somthing that should occur after an analysis is made of the event.
You can start by picking your heavy hitters and look into why those events are fireing.
Ask youself, are these events that I want to see? Are they REAL intrusions of are they false positivies? Are they actionable?
You can then disable signatures that provide no value to you, turn down the severity of those that you can;t do anything about but still want to know about (say scanning for example) and build filters for hosts you know are triggering signatures you want to keep active (like if you were running an vulneribility scanner in your network).
After time you would havea set of signatures and filters that matched the enviroment the sensor was placed in.
It's hard work, and you have to look at your packet captures to see what is happening, but this is how signatures are tuned.
- Bob
09-10-2010 03:31 PM
Thanks Bob,
you really made it easy. The problem is when I am visiting the customer to do the installation,configuration, signature update/image upgrade and signature tuning in one single visit.
Anyway, what you have said is very helpful.
Mike
09-13-2010 05:43 PM
> do the installation, configuration, signature update/image upgrade and signature tuning in one single visit.
In that case, you might want to let the customer know that there are limits on what can be done, and how effective it will be, in such a limited time frame. Like Bob said, it does take hard work, but it also takes time. The network has to be monitored and traffic patterns have to be baselined before any effective tuning can be done. That being said ...
If limited to one visit, I would do a phone conference with the customer a few days or weeks ahead of the installation. I would try to determine what kinds of traffic, events, or attack types they are particularly concerned about.
There are many other questions that can be asked ahead of time that can help. Even if it's not 100% perfect, you can walk in the door with a pre-tuned policy that points them in the right direction. They just need to be prepared for the work that's going to follow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide