Ayoi's

I can’t get anything done today. Why? Dunno. My brain seems to boycott me. (fortunately it still process the basic functions properly if not then I’ll be lying on my bed doing nothing)

Anyway I’ve came across with shirkdog post on Tuning the IDS. His posting did mention about the needs of having the right rules for the right segment monitored. What are the purpose of having IIS and windows related rules when the segment that u monitored like the DMZ dun have any windows installed on the machines? Unless there’s any case that an administrator who has IIS installed on his apache powered web servers which I highly doubt will happen.

That reminds me of the discussion that I had with my colleague on friday. Actually the argument was about the needs of full content. To be specific is access speed for analyst to access the full content data. To have full content, session, statistical and alerts data is the ideal way for monitoring purpose. But for our clients, the bandwidth and storage are the main issue. So I suggest that we shud fine tune the rules, log as many as we can for session data and trigger the full content data collection when there’re any suspicious traffics that need to be analysed. Having all the rules activated will of cause generate too many false positives alerts. For example, why do we have to waste our time analysing WEB-IIS ISAPI .idq access or WEB-IIS CodeRed v2 root.exe access alerts attempts on our freebsd with apache webservers?

You tell me.

p/s: I’m still finalising the materials for geek00l’s security analyst handbook. There are few adjustment needed as some of the information are sensitive hehehe. Perhaps I shud simulate the attack. Hmmm

Comments RSS