I'm looking for some input on when the best times to perform an IPS sensor DoS relearn are. The product guides mention only when network changes occur. Are their other scenarios, like hardware upgrades, or IPS firmware upgrades that might be cause to perform this?
If by "Hardware Upgrade" you mean the IDS hardware, then the sensor and manager will capture a baseline for the first 48 hours.
If you mean't just general Infrastructure hardware, it depends on the depth of the changes...did you upgrade the switches/routers to handle more traffic and expect to see more traffic over the new segments? Did you add new end points that would produce more traffic? Did you recently expose a new server to the web that might generate more traffic etc...
If yes to any of those I would put the sensor back into learning mode, just realize that for those 48 hours you will not see DoS of DDoS alerts as the baseline is created.
IPS firmware will not require a relearn, the manager profile will contain the existing baseline. If you wanted to re-run the learning mode between major firmware changes i.e 8.1 -> 8.2 or 8.3 -> 9.1 then that would be another way to keep the data fresh.
It all boils down to what your company wants to do as a measure to keep the DoS profiles fresh.
DoS Prevention KB
Best Practices KB - Search for DoS
I hope this helps.
Former Senior Support Engineer NSP Platinum