11-15-2004 07:27 AM - edited 03-09-2019 09:26 AM
I am trying to get Threat response up and running to figure out what is real on my IDS. I have it going, but I need tyo tune it some. Does anyone know of any better material than the user guide to help with this. The user guide is pretty plain and not to detailed.
Tim
11-16-2004 11:16 PM
hello harness,
Are you talking about the signature tuning of IDS ?? if so, please take into consideration the following things:
1) you need to know the applications that are running in your network. you can filter out unused applications , right on your perimeter router/firewall, just to avoid these traffic detected by IDS. Even if IDS detects, block these applications directly..
2) you are the one who has to decide which signatures to block.. you also need to decide what needs to be done with the signature - block conn, block ip, reset tcp , log etc..
take care when you block connection/ip.. it can block the whole connection and bring down a service...
I dont see any documents exactly. do you have any other query, if so please let us know..
all the best !!
11-17-2004 01:44 PM
Question?
What exactly are you wanting to do?
There are several ways you can tune CTR.
1) Security Zones - Specific hosts with specific policies
2) Creating new policies - When an alert is seen you can assign agents to be executed, then assign this policy to a security zone.
3) Protected Hosts - Allows you to assign user/passwd to specific hosts for level 2 inverstigation. You can also assign specific OS mapping to these as well.
4) Protected Domains - Allows you to assing user/passed to a domain for level 2 inverstigation. You can also assign specific OS mapping to these as well.
5) Set OS Mapping for events. This is a good policy to begin with. This basically lets CTR know that if it sees X event then it applies to Z OS
6) Schedule Agent - Schedule an agent to run against any host any time.
Let me know what you are looking to do and I can be a bit more concise.
Hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide