Solved: Re: Common practice in Signature Tuning

Mike Masalla · ‎09-10-2010

Hi,

I wonder if any one knows or would recommend, what signature(s) to tune when a customer asks for signature tuning. There is roughly 3000+ signatures, so which one to start with, and is there a common/best practice for signature tuning.

Appreciate your expertise.

Mike

rhermes · ‎09-10-2010

Mike, I wish I had a easy answer for you, but like most things in life it takes hard work.

Signature tuning is somthing that should occur after an analysis is made of the event.

You can start by picking your heavy hitters and look into why those events are fireing.

Ask youself, are these events that I want to see? Are they REAL intrusions of are they false positivies? Are they actionable?

You can then disable signatures that provide no value to you, turn down the severity of those that you can;t do anything about but still want to know about (say scanning for example) and build filters for hosts you know are triggering signatures you want to keep active (like if you were running an vulneribility scanner in your network).

After time you would havea set of signatures and filters that matched the enviroment the sensor was placed in.

It's hard work, and you have to look at your packet captures to see what is happening, but this is how signatures are tuned.

- Bob

View solution in original post

rhermes · ‎09-10-2010

Mike, I wish I had a easy answer for you, but like most things in life it takes hard work.

Signature tuning is somthing that should occur after an analysis is made of the event.

You can start by picking your heavy hitters and look into why those events are fireing.

Ask youself, are these events that I want to see? Are they REAL intrusions of are they false positivies? Are they actionable?

You can then disable signatures that provide no value to you, turn down the severity of those that you can;t do anything about but still want to know about (say scanning for example) and build filters for hosts you know are triggering signatures you want to keep active (like if you were running an vulneribility scanner in your network).

After time you would havea set of signatures and filters that matched the enviroment the sensor was placed in.

It's hard work, and you have to look at your packet captures to see what is happening, but this is how signatures are tuned.

- Bob

Mike Masalla · ‎09-10-2010

Thanks Bob,

you really made it easy. The problem is when I am visiting the customer to do the installation,configuration, signature update/image upgrade and signature tuning in one single visit.

Anyway, what you have said is very helpful.

Mike

mikecrowe4ICS_2 · ‎09-13-2010

> do the installation, configuration, signature update/image upgrade and signature tuning in one single visit.

In that case, you might want to let the customer know that there are limits on what can be done, and how effective it will be, in such a limited time frame. Like Bob said, it does take hard work, but it also takes time. The network has to be monitored and traffic patterns have to be baselined before any effective tuning can be done. That being said ...

If limited to one visit, I would do a phone conference with the customer a few days or weeks ahead of the installation. I would try to determine what kinds of traffic, events, or attack types they are particularly concerned about.

Do they want to catch/stop traffic like P2P, IM, etc?
- If so, I would activate the signature for the more popular clients/protocols for each one. Bittorrent, utorrent, emule, Yahoo IM, AIM, MSN and so on. If not, deactivate or retire those signatures so they're not using up resources.
any history of virus/worm problems?
- Activate any related signatures available to catch any remaining infections, or re-infections
Are they concerned about spyware internally?
- Have them ID which ones they've seen, then activate related sigs.
What OS(es) do they run on their workstations? What about servers?
- If they're not running OSX or Linux, deactivate many of those signatures. Not running Windows Servers internally? Great, that eliminates many sigs!
Offer to send them a (short) list of other recommended high risk signatures to consider, especially any that are resource intensive on the sensor.

There are many other questions that can be asked ahead of time that can help. Even if it's not 100% perfect, you can walk in the door with a pre-tuned policy that points them in the right direction. They just need to be prepared for the work that's going to follow.