IDS / Security Information Management Issues

addressed in an integrated manner to manage network security and this needs to be undertaken in the context of correct media relationships

Network IDS Design and Implementation

IDS Components ....

I am familiar with IDS building process in the SNORT environment i.e ..

Building the analysis server. With Apache used to host the ACID console.

Mysql used to store SNORT alerts ..

WebAdmin : used with SNORT plug in to administer the SNORT sensors.

ACID (Analysis Console for Intrusion Databases) used to view and consolidate firewall logs and or SNORT alerts ..

Sensor Installation

Configuration of Snort on Redhat 7.2 and installation outside and inside the firewall to enable getting real ips of Natted intrusions .. correlation of events as they happen through the firewall

IDS Sensor Tuning in high bandwidth environment ..

Filtering Signatures

Signature trimming can remove many unnecessary signatures at a time. For example, if the system is running Snort, the admin can simply edit the snort.conf file and remove the entire rules file (i.e. rpc.rules, x11.rules). To get more granular, the administrator should look at the more common services (i.e. HTTP, FTP, SMTP) and see if the attack signatures they are looking for match the services that the company runs. In this context, it makes sense to look for signatures that match software vendors that are on the network. For example, if the company uses FTP servers, but none of them are running wu-ftp, the NIDS does not need to be configured to look for wu-ftp exploits.

Filtering Unwanted Traffic

Most NIDSs have some sort of filtering function that allows certain types of traffic to be disregarded.. eg multicast traffic .. disregard.. on the monitoring nic ..NIDS need to be tuned to the particular network on which they are installed.