adric.net

IDS Policy Review
Login

Upstream / background

Process

  1. Determine general IDS policy for your organization.
    1. It should derive from your CSIRT mission, which supports your organization's security policy.
    2. This is a great opportunity to write one. You could start with:
      • What are you looking for?
      • What aren't you looking for?
      • What are you going to do when you find it?
  2. Review all of the signatures rules you are running (or intend to run) and take notes.
    1. I've used Excel and the Perl script below to get started with ET rules.
    2. Reference your historical alert data and incident records for hints.
    3. Note which rules were helpful and which were commonly false positives.
    4. What things will you never see in your environment?
  3. Recommend configuration changes including any custom rules needed. Write up a report.
  4. Implement the changes and monitor the results.
  5. Do this regularly (annually if not quarterly).

some Perl

Process rule files to TSV which Excel imports easily. Perl originally written by maxiez.com and then mangled by me:

#!/usr/bin/perl -w
use strict;

#Print Header print "Mesg\tSID\tRev\tRule\n";

#Loop through either standard input or a file as the first argument foreach (<>){ chomp; #Remove comments s/#.*//; #Quote quotes s/"/\\\"/g;

#If it has a message, sid, and a revision, print a line # yank out the category since it's repeated every line if (/msg:\\".* CHAT (.*?)\\";.*sid:(\d+);.*rev:(\d+);/){ print "\"$1\"\t$2\t$3\t\"$_\"\n"; }
}