Sanity Checking Your IDS Config

Tuning an IDS is never an once and done proposition. As a matter of fact, an IDS/IPS probably needs more constant maintenance and tuning than just about any other system you'll ever administer. After doing your initial setup and tuning, you';ll notice over time the false positive rate creeping up and the white noise getting louder.
A few things you might want to look at, on a regular basis, to keep the FP rate down and keep your focused EOI's that matter (events of interest) are:

1. Protected Networks: Have new segments been added recently? If you don't add them to your list of protected networks, all those signatures with a flow of external to internal traffic can false posit on internal traffic. Review your monitored segments periodically, and look at your events for new internal subnets that may need defined.
2. New signatures. Hopefully, your review your vendors new signatures before deploying (even if you use automation) to see if they're relevant for your infrastructure.Consider omitting signatures that aren't needed for your environment, or at least not adding them to real-time alerting or decreasing the alert level. If you're network is a strict Windows shop, running IIS Web servers, do you REALLY need 500 Apache/PHP signatures? Maybe your philosophy is you want to see ANY malicious traffic directed towards your networks, but you probably don't need real-time alerting on them in any case. How many analysts still get real-time alerting on Code Red?
3. New servers: As new servers get added, you may see a marked increase in FP alerts. Patching software, anti-virus management servers, web content monitoring and the like do a LOT of talking on the network that could be construed as attacks by the IDS. Make sure you track down your top talkers regularly and adjust your filters as needed.
   

Network Security Dashboards

If you're a graphical person, and like the dashboard approach to an overview of what's going on in NetSec, there are a couple I've found that are pretty nice. The first one is the Talisker Computer Defence Operation Picture site, found at http://www.securitywizardy.com/radar.htm. Andy's had this up quite a while, and there's even a shot of it on the wall at a site owned by the NSA! (http://www.networkintrusion.co.uk/)


I just found the second one, Infocon, which is located at https://i.sectoid.com. I saw a post by the author, Valter Santos, on a listserv, and I guess he's working on a new version of the site. Pretty sweet even in it's present incarnation.

If nothing else, throw one of these up on one of your screens at work. Even if you rarely look at it, it's sure to impress folks when they come into your office or cube!

Favorite Tools

New tools come out with amazing regularity. If you're getting started in NetSec, one of the first things you'll find out is there are tons of tools, and multiple ones to do any task, AND that you better learn enough Linux to install, configure and run them, as most of them don't have ports to Windows. With a few exceptions, even the ones that ARE available for Windows rarely run as well.
I have a toolkit (actually two, as I keep Windows and Linux tools separate) that has dozens and dozens of tools in it. Many I've tried out for a day or two, some I use on a semi-regular basis, and some I've never even found the time to install yet. But every network security analyst has, or should have, their core essentials.
If they run a distro on a thumb drive for emergency use, these would undoubtedly be on it. They are probably installed on every test box and personal box they have access to.
Mine as as follows (in no particular ranking or order...)

1. nmap - You have to have a port scanner, and year in and year out, Fyodor keeps making nmap better to the point that I've never changed. I've tried a bunch of others, but nmap continues to be the most stable and  dependable scanner I've ever tried. (Unicornscan WAS fun, I'll admit... smokin'!)
2. hping - You also need a packet crafting tool.. in this area, I think there are several really good ones, including scapy and Nemesis, but I like hping the best for it's simplicity and functionality. 
3. netcat - netcat does just about anything you need it to do as far as sending and receiving packets. It's called the "swiss army knife" of network tools for good reason. Need encryption? Get crypcat instead of or in addition to. 
4. ngrep - Ngrep is a libpcap tool that searches for strings in packets. If you're doing traffic analysis, it's almost indispensable.
5. dsniff - This suite of tools by Dug Song includes dsniff that searches traffic for logon credentials, as well as tools to sniff for web pages, files, mail and chat. There are also tools to do man in the middle attacks on SSH and HTTPS, as well as a nifty sniping tool to shoot down traffic.

I use many others, but those are the core 5 for my toolkit...

Why I Still Like Fedora

I see/hear the occasional trashing of RedHat/Fedora on the lists and from instructors (one really well respected and favorite instructor of mine said "Friends don't let friends run RedHat" =-) ) and I understand it, in part. The RedHat package for certain tools that NetSec folks use aren't up to snuff with with other distros or an install from source. Old tools like Shadow and IDABench took pains to mention if you're running RedHat, ditch the installed version and get source. But the issues I've found or heard about aren't game changers. I install most of my tools from source anyway. I rarely depend on a package. And RedHat's habit of renumbering interfaces between reboots...well, you ought to have the MAC hardwired in your network scripts anyway. The thing I love about RedHat is that it works. Plain and simple. I've used it for 10 years now (starting with RedHat 6.2) and never had a situation where it wouldn't install (unlike the Debian 5 install I just tried to do, where it couldn't find the factory installed (common) disk drive in an IBM 8171 Think Centre). It's been stable and easy to maintain version after version. I like things that work they way they're supposed. I've tested many other flavors for desktop/laptops, and always keep coming back to Fedora. I'd like to give Debian another shot. If it could find my hard drive...