Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
222
Views
0
Helpful
2
Replies

Threat Response Tuning

t.harness
Level 1
Level 1

‎11-15-2004 07:27 AM - edited ‎03-09-2019 09:26 AM

I am trying to get Threat response up and running to figure out what is real on my IDS. I have it going, but I need tyo tune it some. Does anyone know of any better material than the user guide to help with this. The user guide is pretty plain and not to detailed.

Tim

Labels:
0 Helpful
2 Replies 2

sachinraja
Level 9
Level 9

‎11-16-2004 11:16 PM

hello harness,

Are you talking about the signature tuning of IDS ?? if so, please take into consideration the following things:

1) you need to know the applications that are running in your network. you can filter out unused applications , right on your perimeter router/firewall, just to avoid these traffic detected by IDS. Even if IDS detects, block these applications directly..

2) you are the one who has to decide which signatures to block.. you also need to decide what needs to be done with the signature - block conn, block ip, reset tcp , log etc..

take care when you block connection/ip.. it can block the whole connection and bring down a service...

I dont see any documents exactly. do you have any other query, if so please let us know..

all the best !!

0 Helpful

cskipper
Level 1
Level 1

‎11-17-2004 01:44 PM

Question?

What exactly are you wanting to do?

There are several ways you can tune CTR.

1) Security Zones - Specific hosts with specific policies

2) Creating new policies - When an alert is seen you can assign agents to be executed, then assign this policy to a security zone.

3) Protected Hosts - Allows you to assign user/passwd to specific hosts for level 2 inverstigation. You can also assign specific OS mapping to these as well.

4) Protected Domains - Allows you to assing user/passed to a domain for level 2 inverstigation. You can also assign specific OS mapping to these as well.

5) Set OS Mapping for events. This is a good policy to begin with. This basically lets CTR know that if it sees X event then it applies to Z OS

6) Schedule Agent - Schedule an agent to run against any host any time.

Let me know what you are looking to do and I can be a bit more concise.

Hope this helps

0 Helpful
Customers Also Viewed These Support Documents