[AusNOG] Best practices for handling IPS alerts?

[Michael Richardson]

Hi everyone,

I'm being really careful to post responsibly, but it's still my first post
so please be gentle if I've got it wrong.:)

My question relates to getting some advice from the list as to how you
handle your IPS/IDS alerts. I've just started a new job and I'm responsible
for the IPS system that sits in front of our web farm to help protect it
from malicious traffic. We've configured the system to email us every time
there is something suspicious detected, and SMS us when there's lots of
suspicious activity detected.

This is the first IPS I've been responsible for managing, and the thing is
both useful and annoying. Of course the Internet is full of nasty traffic,
so this IPS alerts us several times a day to advise us that someone did
something bad, and that it stopped them (notices include things such as
brute force attempts, sql injections, etc).

If you run an IPS, have you configured it to alert you of suspicious
traffic? Is it simply configured to drop attackers quietly, or do you sift
through the countless minor concerns, just in case you might someday find a
serious attack?

Thanks for your time!

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20090415/b11a005c/attachment.html>