|
osdir.com mailing list archive |
|
Subject: Re: IDS Tuning - msg#00027List: security.ids> Hi All, > > What exactly is IDS tuning ? Please provide steps to tune Snort. Well, IDS tuning is not something that is done in 10 minutes. To clarify: Tuning an IDS can mean many things to many people. For example some people thing that tuning their system to deliver the maximum troughput and maximum performance by tweaking snort, the OS and the network configuration. Others would argue that you will get nowhere when not weeding out all the rules that give false positives in your network. What it comes down to, in my opinion, is that when you tune snort, you customize the whole IDS environment (network, OS, snort installation, operator behind the console) to deliver the max out of your IDS environment. With that philosophy, there isn't a couple of magic steps you can perform, but it is something that will differ from site to site. Generally, take this into account: - Let it run for a while with maxed out settings. - Is network traffic dropped? ( look at your network configuration. maybe you need to modify things there (multiple snort machines in line that check for different kinds of traffic) - Is the machine overloaded in daily use? (tweak and tune the OS.) - What alerts are false? (modify or remove rules that cause false alerts.) - What do you do when you get an alert? ( strict behavior for follow-up means less time spend per incident) - do you feel there are other things that should be done to let things run smoother? Then you go back to one of the earlier steps, and repeat the procedure. As i said, these steps are in no way the panacea of IDS tuning, but they should get you started. Oh, and there are some good books out there that deal with deploying snort, and these books have great tips on what you should look at when tuning. Anyway, an IDS that is not tuned/customized for your site might as well not be there, because in the long run no one will bother looking at the alerts, because 99% of the alerts will have no meaning to you. The 1% will just get lost in the massive amount of reported alerts. Kind regards, Enchanter_tim > > Thanks in advance. > > Cordial regards > > Naveen > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ Thread at a glance:
Previous Message by Date: click to view message previewRE: IDS Tuning"IDS Tuning" could be defined as Customizing an IDS for ones network. AFAIK "IDS tuning" would largely imply "IDS Signature Set tuning" which further means tweaking/modifying the signature set to reduce false positives and make the IDS more reliable and also faster in some situations. Every network is different in some way or other and hence signatures that are required for a particular network may not be required for another network. For example, if your network does not have APACHE based Web servers then you can disable Apache category in Snort. This kind of tuning may also give you better speed with the IDS. Similarly, an admin would like to disable signatures which are likely to produce too much of false positives in "his" network. I am not sure if there is a document on this or not but to tune an IDS you need to have a good understanding of all App level protocols (SMTP/FTP/Telnet/HTTP etc) and also have a good understanding of the signature set. HTH. Regards, Arun -----Original Message----- From: Naveen Sharma [mailto:naveenkat@xxxxxxxxx] Sent: Friday, March 10, 2006 2:19 AM To: focus-ids@xxxxxxxxxxxxxxxxx Subject: IDS Tuning Hi All, What exactly is IDS tuning ? Please provide steps to tune Snort. Thanks in advance. Cordial regards Naveen ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ Next Message by Date: click to view message previewRE: RE: IPS Reliability/Availability> -----Original Message----- > From: y8k0vt3p@xxxxxxxxx [mailto:y8k0vt3p@xxxxxxxxx] > Sent: Friday, March 10, 2006 2:42 AM > To: focus-ids@xxxxxxxxxxxxxxxxx > Subject: Re: RE: IPS Reliability/Availability > > > The primary "con" is that it's a fairly new approach, and therefore it's > > difficult to get people on the bandwagon. > > - it's hard to convince people that this solution is actually as > > fast (or faster) than an ASIC solution for the same price. ASICs have > > been around a long time, and people have a kind of warm fuzzy from that > > older technology. > > I'm wondering why CPU cluster technology that you are deploying is > considered new in comparison to ASIC/FPGA/NP technology. Primarily because it is newer than those technologies. Can you offer any examples in which this approach was applied to bundled network security point solutions prior to the advent of ASICs? But to your point... you're right that the concepts are similar in that, at some point, you ultimately reduce the problem to processors processing data. However, the RISC based solution removes "forklift upgrade" from the user's vocabulary. > Obviously, "software + CPU cluster" technology has some attractive > properties. > However, it also has several nasty properties, especially in the IDS > space. In addition, the problems get nastier with adding more CPUs to the > cluster, so there are a limit how many CPUs you can put in a cluster. > For starters, if your load balancing scheme is based on TCP/UDP port > numbers, > you'll have a hard time detecting even simple port scan. > > - Jack This might be partially true if the load balancing assumption were correct, but at least in the one implementation (NFR) with which I am familiar, it is not. Can you enumerate some of the inherent "nasty properties" to which you allude? -MAB ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ Previous Message by Thread: click to view message previewIDS TuningHi All, What exactly is IDS tuning ? Please provide steps to tune Snort. Thanks in advance. Cordial regards Naveen ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ Next Message by Thread: click to view message previewRe: IDS TuningOn 10/03/06 07:49 +1100, Naveen Sharma wrote: > Hi All, > > What exactly is IDS tuning ? Please provide steps to tune Snort. > Homework assignment for a network administrator? Google is your friend, but anyway: IDS tuning is configuring the IDS to perform ideally in your environment, with few false positives in the alerts generated. Tuning Snort (or any other IDS): You have two options - 1.a) Learn all about networking, the applications you run, and the state of your network. 1.b) Learn to find bottlenecks in hardware. 1.c) Learn to write Snort signatures. 1.d) Tune Snort. 2.a) Define tuned parameters expected. 2.b) Hire expensive consultant to tune Snort 2.c) Pay consultant. 2.d) Keep consultant around to understand Snort output. Nothing replaces the human brain and the ability to RTFM. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ Loading Comments...
|
|
