Hi Chris, Moving from an IDS centric world to the IPS side is always a big
challenge. Much of this challenge has to do with how much of legitimate traffic can you afford to drop because of false positive. While it will be tough to find any good online book as much of the tuning which you would need to do is specific to your environment and the vendor you are using, there are some general guidelines of the sequence in which you should proceed. The first thing which you should be enable is the DOS/DDoS/Scan attack category. These are useful as typically the first signs of a machine infected with a worm/bot would be to exhibit this behavior. Safely enable all the TCP and IP flags(example: SYN and FIN set at the same time) related signatures as most of the stacks of today take care of these anomalies and if there are any such packets roaming around, they can be safely dropped without affecting the end machine behavior. If your vendor differentiates between exploit and vulnerability based signatures, go ahead and enable the exploit signatures as they typically have a very high level of confidence. Ask the vendor about the network performance impact of each signature before enabling as some of these signatures do pattern match which can be very processing intensive and your inline IPS box might become a bottleneck. Hope this helps. Regards Proneet. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
