Linux IDS Threshold Configuration Question
Hello Everyone,
I am trying to learn best practice settings for IDS's. Currently I am working with Linux Suricata IDS and one of the configuration files is a "threshold.config" file. Simply running the IDS without any thresholds set causes log files to continuously run and it's hard to flag potentially serious threats with so many false positives. I noticed I can set thresholds to only flag when the same issue is detected several times within a time interval.
Are there any best practices or ideal configurations when it comes to setting up thresholds so when the IDS goes off there are better chances it actually caught something nefarious going down?
Thanks in advance,
Joe
|