OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Validating IDS Rulesets
From: Joshua Krage (jkrageBUSER.NET)
Date: Fri Oct 20 2000 - 11:09:07 CDT

On Wed, Oct 18, 2000 at 12:04:39PM -0400, Keith Pachulski wrote:
> Every new IDS signature is tested and retested in our network as is
> every security device we implement into our network. Not only are
> those devices tested before and after installation, but they are
> tested monthly to confirm they are still operating as expected.

Ah, excellent. This is the kind of response I was looking for.

Your database... a listing of signatures? Including network traces?
Or keeping an archive of exploit code? Or something else?

> Older IDS signatures remain in the database, no signature is cycled
> out or removed unless the signature has been proven to be faulty.
...
> extended documentation explaining why they were reworked and if the
> rework of the signature has been successful.

If I'm understanding what you're saying, once you have entered a
signature into the databsae, its integrity is protected by procedures
and documentation. And I'll assume that you've dealt with the lower
level data integrity issues (backups, checksums, etc.).

So you're keeping extensive documentation about the signature and its
modification history. But how are you validating the signature itself?
What triggers your "rework of the signature"?