Recently I’ve been busy with tuning Snort IDS (Intrusion Detection System) included with OSSIM. Compare to the installation process, the tuning process is much more involved and time-consuming.
You may wonder why should you do the tuning for you IDS ? Because if you don’t tune the IDS to suit your network environment (servers, network devices, security devices) you will get a lot of events. And I really mean A LOT OF. I received more than 100,000 events each day during the days before I did the tunnng. It’s a sure thing that if you received this number of events, you will not analyze them, you may not even read them anymore. The good thing is they are all false-positive, so you can ignore them. And of course you don’t want to store those false-positive events to disk. After the tuning process, I received less than ten events per day. :D
Here are several things that I learned during the tuning process :
- Know the information security policy implemented in the organization. You may want to get the written information security policy from the IT or IT Security Department.
- Understand which network component that want to be monitored. If an organization has thousands servers, you may need to ask which servers they want to monitor. Monitoring “ALL OF THEM” may be the answer they will give you, but please understand if one server generate only one event but you have to monitor a thousand servers, then you probably will received a thousand events. They should prioritize their servers.
- Understand the operating systems used in the organization. If the organization only used Linux, there is no point to enable IDS rules for other operating systems.
- Work with your counterpart in the organization. This is usually refers to IT people (system admin, network admin, security admin).
- Learn the network traffic behavior in the organization for several days. You may want to choose busy and not-busy day. In one of my tuning site, I notice that during the last day of a month, there is a lot of events about web-attacks. I further found out that this “attacks” were enerated by a public relation people posting to internal Sharepoint portal.
- Ask your search engine if you found unknown event.
- You got to have patience and perseverance. The tuning process may take longer time than you expected. And sometime you may need to do again and again.
At last, happy tuning. :D