IPS Maintenance Tuning and Response Guide
IPS and intrusion detection system tuning and response may seem cumbersome at first but gets less cumbersome with time. Research and analysis of alarms and events can take massive amounts of time so patience is a key. Hopefully this article will give you the information necessary to properly maintain, tune and respond to events within your IPS sensor. How to tune intrusion detection systems and IPS sensors is not difficult by any technical measures but be prepared to spend time and lots of it.
When a signature fires you’ll need to notice it somehow. Cisco intrusion detection system IPS sensors push event data to the Cisco IEV (Cisco IPS event viewer) and SNORT events can be viewed with ACID. You can hook an extra monitor to your existing PC or configure another workstation/server and keep these event stations up on a dedicated monitor at all times so you can notice suspicious activity when it happens and have a dedicated screen or system to investigate the incident on. Cisco MARS (monitoring analysis and response system) and Linux logging servers can use to correlate event data and produce notifications via mail etc
Your response method is critical to reducing response time and properly weeding out false positives. Every event needs to be confirmed by first reading up on what the event means. If you use Cisco IPS intrusion detection system you can obtain the signature definition description as well as recommend filters, benign triggers and related info by right clicking the event in the IEV or you can search directly @ http://tools.cisco.com/security/center/search.x If you use SNORT you can read about the event that just fired at the snort signature database here http://snort.org/pub-bin/sigs.cgi . Packet captures are useful if further analysis is required. http://wireshark.org is great for viewing packets after they have taken place. Many times the analysis of packets will give you enough detailed information you can discern a false positive and also will give you more information to use in your investigation. Checking where the suspected PC has been by looking at the log files (or netflow data ROCKS if you can get it) For none user / PC related tuning you can then use online tools like http://www.dnsstuff.com, spamhaus DROP lists and Dshield, to see if the IP address is on any block lists.
Usually the above information will give you the ability to make a logical decision to be used to tune the intrusion detection system. If you use correlation servers like MARS I find it best to tune at the IPS sensor itself. Sometimes you have to fall back on a MARS drop rules just to screen out special cases but it’s better to keep the alert from being sent to the correlation device if at all possible. Be sure to keep a log of all signature tuning you have done and why you did it. You need this tuning information to cover your butt and it will help you make decisions on future signatures or IPS installations. Tweaking the intrusion detection system will enable it to run faster, optimization, and allow you to handle real events when they take place. Tune the intrusion detection system for every signature as soon as the signature is added to the device or else you could end up denying trusted traffic.
Intimate network knowledge is very useful when tuning out false positives. Many signatures are relevant only when the traffic is coming from outside your network in which case you can tune this type signature to filter out your internal network addresses. Many signatures are for OS specific systems as we discussed earlier. With this in mind you should speak with your network and server teams and have a solid understanding of the network topology. Change control is your best friend because you must be made aware of all system and network changes so you can optimally monitor and protect the network. Documentation of all signature tuning should become second hand and just part of the process.
Go to configuration guide
Go to installation guide