Linux IDS Threshold Configuration Question

danmartinj · 02-10-2016, 11:46 AM

Hello Everyone,

I am trying to learn best practice settings for IDS's. Currently I am working with Linux Suricata IDS and one of the configuration files is a "threshold.config" file. Simply running the IDS without any thresholds set causes log files to continuously run and it's hard to flag potentially serious threats with so many false positives. I noticed I can set thresholds to only flag when the same issue is detected several times within a time interval.

Are there any best practices or ideal configurations when it comes to setting up thresholds so when the IDS goes off there are better chances it actually caught something nefarious going down?

Thanks in advance,

Joe

unSpawn · 02-10-2016, 12:57 PM

If running the IDS results in logs filling quickly then I'd think you better first tune your rule sets to what services you actually offer?..

JJJCR · 02-11-2016, 09:41 PM

Agree with unSpawn, just monitor the ports or services that the system is using.

unSpawn · 02-12-2016, 01:01 AM

I would phrase that differently: given common ways systems get root-compromised there are key areas you want to monitor, most of which will contain (root-owned) directories containing system binaries, libraries and configuration files. *And since you chose Samhain (good choice IMHO) ensure you use its inotify feature.