adric.net

Update of "IDS Policy Review"
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Artifact ID: 74ccd9cf037b6076e38023554d6c451202107d76
Page Name:IDS Policy Review
Date: 2013-09-23 15:29:27
Original User: adric
Parent: 58adb692b1961d9e1d6e2f113c73f71c2d6bf531
Content

Upstream / background

Process

  1. Determine general IDS policy for your organization.
    1. It should derive from your CSIRT mission, which supports your organization's security policy.
    2. This is a great opportunity to write one. You could start with:
      • What are you looking for?
      • What aren't you looking for?
      • What are you going to do when you find it?
  2. Review all of the signatures rules you are running (or intend to run) and take notes.
    1. I've used Excel and the Perl script below to get started with ET rules.
    2. Reference your historical alert data and incident records for hints.
    3. Note which rules were helpful and which were commonly false positives.
    4. What things will you never see in your environment?
  3. Recommend configuration changes including any custom rules needed. Write up a report.
  4. Implement the changes and monitor the results.
  5. Do this regularly (annually if not quarterly).

some Perl

Process rule files to TSV which Excel imports easily. Perl originally written by maxiez.com and then mangled by me:

#!/usr/bin/perl -w
use strict;

#Print Header print "Mesg\tSID\tRev\tRule\n";

#Loop through either standard input or a file as the first argument foreach (<>){ chomp; #Remove comments s/#.*//; #Quote quotes s/"/\\\"/g;

#If it has a message, sid, and a revision, print a line # yank out the category since it's repeated every line if (/msg:\\".* CHAT (.*?)\\";.*sid:(\d+);.*rev:(\d+);/){ print "\"$1\"\t$2\t$3\t\"$_\"\n"; }
}