Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Effictiveness of IDS default signatures

Are the IDS default signature settings effective or is it necessary to tune them, assuming that only basic HTTP, HTTPS, and SMTP traffic is passing out of your network.


New Member

Re: Effictiveness of IDS default signatures

The default signature settings are a good starting point. As the IDS is used and alarms are fired, tuning is usually required on most networks. Tuning the base signatures usually falls in three categories: turning off signatures (even just for one host), turning signatures on, and changing the default severity.

Turning off signatures: This is usually done on a system-wide basis if you feel you don't need the signature at all (ie. you only run apache and don't care about IIS signatures). Usually this doesn't happen as most people want to know if they are getting attacked even though the attack is doomed to fail. But you also can turn signatures 'off' with single hosts by using the RecordOfExcludedAddress, this is typically used once you discover a machine that produces traffic that trips a 'false positive' in a particular signature. This type of tuning is somewhat common.

Turning signatures on: There are relatively few signatures that are turned off by default. These signatures are usually too nosy and pose a small amount of risk. One example would be a NETBIOS session failure, a common event in a windows network and usually too nosy to be any good. However, if you run a largely UNIX environment with only a couple of windows boxes you might see value if this signature is on.

Changing the default severity: This is done typically because the administrator finds some attacks more serious than others. The administrator might only want a few level 5 sigs while there are many at that level in the default configuration. This is entirely a personal perspective thing.

The examples above are simple examples to illustrate a point, bottom line is the administrator knows his/her network the best and is usually the best person to tune their sensor. It isn't something you do in one night though...time teaches you things as your IDS is present on your network and you investigate alarms. Eventually, tuning will be used to help limit (or strengthen) your investigations.

Cisco Employee

Re: Effictiveness of IDS default signatures

Tony wrote "...signatures are usually too nosy and pose a small amount of risk."

I believe he meant to say the signatures are usually too *noisy*.


CreatePlease login to create content