07-14-2008 04:57 AM - edited 03-10-2019 04:11 AM
When a bringing up a new sensor in a network typically how long should the sensor be allowed to baseline or soak for before tunning begins? Does cisco recommend a specific time period?
07-14-2008 07:07 AM
We have a modified policy we use to start with but typically two weeks seems to be sufficient. That depends upon the sort of traffic you see, the placement of the sensor, and how busy it is. I could easily see spending an hour a day for several weeks tuning/profiling if this sensor was generating 50k events / day.
07-14-2008 11:36 AM
You can begin performing event analysis as soon as you plug your sensor into the network. This will allow you eliminate false positives and create filters for events you don't want to see again from a particular host/network. The more you tune your signatures, the higher the quality of events you will get from them.
The only aspect that might need any âsoakâ time is the dozen or so âanomaly engine signaturesâ The anomaly engine needs a day to a week to âlearnâ what is normal traffic on your network, but that isn't any reason to wait to begin signature tuning.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide