Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Fine tuning IDS

Hi,

we are going for tuning the IDS signature.No idea how to do it.

Please somebody suggest.

Thanking u

Navin

7 REPLIES
Silver

Re: Fine tuning IDS

Your post leaves much information to be desired. Do you want to tune a single signature or a group of signatures? Do you want to simply disable a signature, or do you want to change the summarization key or regex patterns? etc,etc,etc

Are you using the IDM, the sensor console CLI, or CSM? Each method varies wildly.

New Member

Re: Fine tuning IDS

Hi attmidsteam

I have a query regarding fine-tuning IDS Signatures . I am using old IDM (snapshots attached) .I wanto know if for a particular signature i want to disable the logging from specific source IP Range to destination IP Range , how to go about this in the same . Is it we do it via Event filter ?

I know how to do it in IDM 5 (we need to go to Event action filters and subtract the action ) .Kindly help me in

IDM 4

Regards

Ankur

Silver

Re: Fine tuning IDS

Yes, if you want a filter a specific signature from a certain source range to a certain destination range, you'll use an event filter.

New Member

Re: Fine tuning IDS

Hi Attmidsteam,

We got this new project recently,so we want fine tune or customize the signature as per our organisation traffic.

My Question is how to customize or how to use network tapps?

We are accessing the IDS through the IDM as well as CLI & we are not using CSM ,but monitored through the event viewer.

Please suggest.

Thanking u

Navin

Gold

Re: Fine tuning IDS

Configuring an Event Filter (as suggested by attmidsteam) is a very different question from how to use a network tap.

Do you have traffic to monitor arriving at your sensor? If not, then you need to either use a network tap (instrouction provided by the vendor) or use a switch with port spanning enabled for promiscious sniffing. For inline traffic, you need to create per-interface or VLAN pairs and cable your network traffic to flow through you IPS.

The CLI and IDM steps for configuring an Event Filter can be found here:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml

New Member

Re: Fine tuning IDS

Hi Rhermes,

Already the network setup is there .We want to Fine tune the IDS using Network tap & the vendor is Cisco.

We don't know how to analyze the traffic? & Ids is in promiscous mode.

Please suggest.

Thank u

navin

Silver

Re: Fine tuning IDS

I would suggest hiring a professional or outsourcing the security at this point. I can't explain how to be a competent security analyst in a paragraph. You'll want someone with a lot of security experience who can first profile your network based upon the devices/servers in use, and then conduct detailed analysis of the events that are generated to determine which are valid and which are false positives. This is typically a 24hr job as hackers/malware/botnets never sleep. Good luck.

403
Views
8
Helpful
7
Replies