[AusNOG] Best practices for handling IPS alerts?
ngardiner at gmail.com
Wed Apr 15 17:30:18 EST 2009
Generally, IPS devices need tuning to become really useful. My general rule of thumb is disable every signature and only enable ones which cover your specific OS/application/version combinations. Some of the most useful signatures aren't the "malicious traffic" ones so much as the positive confirmation ones - signatures which trigger on strings which suggest an attack has succeeded.
An untuned IPS is often just a noisy distraction
From: Michael Richardson <lists at mrichardson.name>
Sent: Wednesday, April 15, 2009 5:14 PM
To: ausnog at lists.ausnog.net
Subject: [AusNOG] Best practices for handling IPS alerts?
I'm being really careful to post responsibly, but it's still my first post so please be gentle if I've got it wrong.:)
My question relates to getting some advice from the list as to how you handle your IPS/IDS alerts. I've just started a new job and I'm responsible for the IPS system that sits in front of our web farm to help protect it from malicious traffic. We've configured the system to email us every time there is something suspicious detected, and SMS us when there's lots of suspicious activity detected.
This is the first IPS I've been responsible for managing, and the thing is both useful and annoying. Of course the Internet is full of nasty traffic, so this IPS alerts us several times a day to advise us that someone did something bad, and that it stopped them (notices include things such as brute force attempts, sql injections, etc).
If you run an IPS, have you configured it to alert you of suspicious traffic? Is it simply configured to drop attackers quietly, or do you sift through the countless minor concerns, just in case you might someday find a serious attack?
Thanks for your time!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AusNOG