Sanity Checking Your IDS Config
Tuning an IDS is never an once and done proposition. As a matter of fact, an IDS/IPS probably needs more constant maintenance and tuning than just about any other system you'll ever administer. After doing your initial setup and tuning, you';ll notice over time the false positive rate creeping up and the white noise getting louder.
A few things you might want to look at, on a regular basis, to keep the FP rate down and keep your focused EOI's that matter (events of interest) are:
A few things you might want to look at, on a regular basis, to keep the FP rate down and keep your focused EOI's that matter (events of interest) are:
- Protected Networks: Have new segments been added recently? If you don't add them to your list of protected networks, all those signatures with a flow of external to internal traffic can false posit on internal traffic. Review your monitored segments periodically, and look at your events for new internal subnets that may need defined.
- New signatures. Hopefully, your review your vendors new signatures before deploying (even if you use automation) to see if they're relevant for your infrastructure.Consider omitting signatures that aren't needed for your environment, or at least not adding them to real-time alerting or decreasing the alert level. If you're network is a strict Windows shop, running IIS Web servers, do you REALLY need 500 Apache/PHP signatures? Maybe your philosophy is you want to see ANY malicious traffic directed towards your networks, but you probably don't need real-time alerting on them in any case. How many analysts still get real-time alerting on Code Red?
- New servers: As new servers get added, you may see a marked increase in FP alerts. Patching software, anti-virus management servers, web content monitoring and the like do a LOT of talking on the network that could be construed as attacks by the IDS. Make sure you track down your top talkers regularly and adjust your filters as needed.