[Oisf-users] "Recommended" rule settings

Cooper F. Nelson cnelson at ucsd.edu
Thu Jan 15 22:27:32 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+1  This is standard best practice.

I don't run an IDP now, but when I did used the following process.

1.  Run in IDS mode for 24 hours and build a list of all alerts.

2.  Review all unique alerts and decide which ones to promote to 'drop'.

3.  Have a scheduled process to evaluate all new alerts against a
database of previous ones.  Alerts with no prior history are forwarded
to an analyst for review.

On 1/15/2015 12:59 PM, Andreas Moe wrote:
> 
> So to do the TL;DR version.
> No one can say "this is the correct ruleset to run" because they dont
> know your network, your infrastructure, and so on. Start with all rules,
> tune, do performance testing, check for false positives. All new IDS
> solutions need a "initial tuning" phase. Someone trying to "sell you" an
> "this works out of the box" if filled with... sorry for saying this: shit =)
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUuD7UAAoJEKIFRYQsa8FWzncIAIGthBd1fp5FY/jW/emaYSan
9DFmZmXdBoBrFn5gWb90VpGkVhzVI9jDMFwlf06hCNmy/7lEN2IyENvp+aFwwZTY
TeH/l1YC2mzlxY7deOjBVYAwJBwnZBvLvUftIn/2P2tBNfIYTDR7A9eVhmnpelJg
7XvplPKiZ1vUIs8eBg/5TsN2lVxJSBR0T/Gig6g8E4JRfoQF9r9gV9JSJlRMef1i
6mD5Vhh+LcNhblDMOOapoYQ2mM7ZmM29/6dZrsRQjn2m4XFa1kyODsf9Xnfb4Ipz
Ge0IXa7cY5KYWPmVdnsPhCBQjmY6fk8BnqPjtBj+5rtLev598k5SgCp3jxVXRxI=
=cO/v
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list