[Oisf-users] "Recommended" rule settings
Cooper F. Nelson
cnelson at ucsd.edu
Thu Jan 15 22:27:32 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+1 This is standard best practice.
I don't run an IDP now, but when I did used the following process.
1. Run in IDS mode for 24 hours and build a list of all alerts.
2. Review all unique alerts and decide which ones to promote to 'drop'.
3. Have a scheduled process to evaluate all new alerts against a
database of previous ones. Alerts with no prior history are forwarded
to an analyst for review.
On 1/15/2015 12:59 PM, Andreas Moe wrote:
>
> So to do the TL;DR version.
> No one can say "this is the correct ruleset to run" because they dont
> know your network, your infrastructure, and so on. Start with all rules,
> tune, do performance testing, check for false positives. All new IDS
> solutions need a "initial tuning" phase. Someone trying to "sell you" an
> "this works out of the box" if filled with... sorry for saying this: shit =)
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUuD7UAAoJEKIFRYQsa8FWzncIAIGthBd1fp5FY/jW/emaYSan
9DFmZmXdBoBrFn5gWb90VpGkVhzVI9jDMFwlf06hCNmy/7lEN2IyENvp+aFwwZTY
TeH/l1YC2mzlxY7deOjBVYAwJBwnZBvLvUftIn/2P2tBNfIYTDR7A9eVhmnpelJg
7XvplPKiZ1vUIs8eBg/5TsN2lVxJSBR0T/Gig6g8E4JRfoQF9r9gV9JSJlRMef1i
6mD5Vhh+LcNhblDMOOapoYQ2mM7ZmM29/6dZrsRQjn2m4XFa1kyODsf9Xnfb4Ipz
Ge0IXa7cY5KYWPmVdnsPhCBQjmY6fk8BnqPjtBj+5rtLev598k5SgCp3jxVXRxI=
=cO/v
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list