OSSIM : Lessons Learned from Tuning Snort IDS

Recently I’ve been busy with tuning Snort IDS (Intrusion Detection System) included with OSSIM. Compare to the installation process, the tuning process is much more involved and time-consuming.

You may wonder why should you do the tuning for you IDS ? Because if you don’t tune the IDS to suit your network environment (servers, network devices, security devices) you will get a lot of events. And I really mean A LOT OF. I received more than 100,000 events each day during the days before I did the tunnng.  It’s a sure thing that if you received this number of events, you will not analyze them, you may not even read them anymore. The good thing is they are all false-positive, so you can ignore them. And of course you don’t want to store those false-positive events to disk. After the tuning process, I received less than ten events per day. :D

Continue reading

The Past, The Present, and The Future

As I can remember from several Buddhism texts that I’ve read, the past had already behind us, and the future still in question mark, then we should live in the present.

So from now on, I will not be bothered by my past life, I don’t need to worry about my future life, I will just enjoy my present life. I will appreciate every moment in my present life, no matter whether it is a worst moment or a best moment.

If there is no “worst”, then there is no “best”.

Sounds confusing ? :D