This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IDS Rules

I'm fairly new to ASL. I seems to have tons of rules available by default, but few of them are dropped. I've been trying to read the respective BUGTRAQ to see which ones can safely be dropped, and which ones might have a high false positive rate, but I can't see to find a decent amount of information about the false positive rates of various IDS rules. Anyone have suggestions for rules that should be dropped, but are not dropped by default?

[:S]

Thanks!

This thread was automatically locked due to age.

Parents

0 BarryG over 20 years ago

Well, if you know you've got a server which is vulnerable to some of the exploits, and you can't patch it, then you'd definitely want to drop those.

Try using Nessus or similar to check your servers if you're unsure.

Otherwise, I know many of the IIS exploits can be safely dropped with little risk of false positives, but there are lots of other things which cannot.

You can look at the counters and try to guess whether you have legit traffic matching the rules.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 20 years ago

Well, if you know you've got a server which is vulnerable to some of the exploits, and you can't patch it, then you'd definitely want to drop those.

Try using Nessus or similar to check your servers if you're unsure.

Otherwise, I know many of the IIS exploits can be safely dropped with little risk of false positives, but there are lots of other things which cannot.

You can look at the counters and try to guess whether you have legit traffic matching the rules.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data