IDS signatures - big picture stuff

From: Tim (ccie2be@nyc.rr.com)
Date: Sun Nov 13 2005 - 15:09:12 GMT-3

• Next message: Danny Cox: "Re: Authentication in OSPF for area 0....virtual link"
• Previous message: Godswill Oletu: "Re: BGP and Tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi guys,

This morning I was searching the Cisco site for over an hour trying to find
out more about IDS signatures - the big picture stuff.

For example, is Cisco still selling the 4.1 version of the IDS software? I
checked the EOS page but couldn't tell. To me, it looks like new IDS's
aren't being sole, you have to get an IPS with 5.1. Is that true?

As new threats are discovered and new signatures created, what does a
customer need to have and do to add them? A SmartNet contract? Does
keeping the set of signatures up to date work basically the same way as it
does with Anti-Virus software?

Approx how many signatures are included with an IDS/IPS? And, has the number
of signatures included been going up quickly over time?

Today, I've been reading through an IDS Exam Cram (very well written and
informative IMHO) and I noticed that a large percentage of signatures are
enabled by default. Then it occurred to me no mention was made of what the
default action is when traffic matching an enabled signature is seen or what
the default severity is.

Can anybody tell me what the default response action is and what the default
severity is? Does it depend on which particular signature is triggered?

And, now for the last questions.

Let's assume a client has just bought a new IDS and needs an IDS engineer to
set it up for his network. This client isn't a very technical person - he's
a manager and asks manager type questions. He happens to have 2 questions:

Should he set up the IDS in front of or behind the firewall and why?

How many hours will it take for the engineer to set up the IDS? (This
manager doesn't know or care about the details of customizing signatures.
He just needs to know how much money he has to budget to get the job done to
have the IDS work properly for his network.)

Assume for simplicity, his network is a pure windows shop and has 1
connection to the internet and no other external connections.

Please forgive me for all the questions. It's just hard getting up to speed
on new technologies without someone around to show you the ropes and fill in
the blanks.

Thanks, Tim

• Next message: Danny Cox: "Re: Authentication in OSPF for area 0....virtual link"
• Previous message: Godswill Oletu: "Re: BGP and Tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:06 GMT-3