Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Baselining or Soaking a Sensor

When a bringing up a new sensor in a network typically how long should the sensor be allowed to baseline or soak for before tunning begins? Does cisco recommend a specific time period?

2 REPLIES
Silver

Re: Baselining or Soaking a Sensor

We have a modified policy we use to start with but typically two weeks seems to be sufficient. That depends upon the sort of traffic you see, the placement of the sensor, and how busy it is. I could easily see spending an hour a day for several weeks tuning/profiling if this sensor was generating 50k events / day.

Gold

Re: Baselining or Soaking a Sensor

You can begin performing event analysis as soon as you plug your sensor into the network. This will allow you eliminate false positives and create filters for events you don't want to see again from a particular host/network. The more you tune your signatures, the higher the quality of events you will get from them.

The only aspect that might need any “soak” time is the dozen or so “anomaly engine signatures” The anomaly engine needs a day to a week to “learn” what is normal traffic on your network, but that isn't any reason to wait to begin signature tuning.

263
Views
0
Helpful
2
Replies
CreatePlease login to create content