Prioritizing Alerts
An IDS needs to be able to categorize and prioritize alerts in an organized fashion. Not all alerts deserve the same attention and scrutiny. A simple ping is no cause for immediate alarm, but a remote exploit attempt against an unpatched server is. Alerting in the IDS market comes in three flavors:
No prioritization
Hard-coded prioritization
Customizable prioritization
No Prioritization
In this system, all alerts have the same priority. This makes sorting by severity an impossibility. You have to wade through pages of alerts to find critical ones. With all alerts classified at the same priority level, notification becomes insanely frustrating. Any automatic emergency notification mechanism is rendered useless. How do you decide ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.