Tuning - Best Performance

Unanswered Question
Sep 29th, 2010

In tuning my signatures for products we do not have, such as HP Openview;  what is the best practice, or what offers the best performance- leaving them in the default state, or disabling them?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Fri, 10/01/2010 - 01:03

Best practice would say that you should remove signatures which are not important - which should decrease inspection load a bit.

However you need to think of one thing before doing this:

Am I only interested in attacks againt my infrastructure? (Victims in my network)

or

Am I interested to check for attack related to my infrastructure? (sourse or victims in my network)

Apart from the obvious question - what happens if you do install HP open view - will you remember you turned off this signture?

That being said, I understand you already went past the stage where you monitored your traffic in promiscous mode for several weeks and are confident what you actually have in your network - you identified signatures firing false positives and trimmed them. If so, you can also disable some default signatures not related to your infrastructure.

Will you see a superior gain of performance - I doubt so. But it's a good place to start.

Next up:

- changing normalizer mode

- disabling not needed engines.

Hope this helps,

Marcin

Actions

This Discussion