And one question?
Why do you want to disable the email notification for SB rules?
non-SB rules are more prone to false positive alerts, some from the security point of view would make more sense to check the emails of SB alerts? Even though if they are set to SB, the attack would be blocked...:o?
In any case, I belive the best option would be to configure the logic on a SIEM, so that you can leave all alerts with no email notification, and then once they get at the SIEM have a rule to trigger emails based on non-SB alerts.
But I still don't get the logic. 🙂 If you can share some insight we may be able to find another way 😉
Thanks for your thoughts! I appreciate you taking the time to discuss the issue. I agree with you about the SIEM, but we don't have one.
Why do I want to do this?
1) I've got a LOT more solutions to maintain than NSP. So, if I can see an attack was blocked, that is probably "good enough" for the time resources I have to devote to investigating NSP alerts. But, more importantly...
2) while I'm very used to seeing false positives and/or attacks I know are blocked, whoever covers for me while I'm away is not. I'm trying to prevent someone from panicking during my days off. I figured if I could repress emails about attacks that are known to be blocked, that would be one less thing my colleagues need worry about.
You are welcome Travler 😉
I get it. You know your stuff hence "You are the man".... 😄 Hopefully they just do as you say and they don't want to understand why.... 😜
You don't have a SIEM but you are trying to do some baseline/tuninig work on your IPS alertssdo you can enjoy your nights/time off! 😄 We've all been (o are) there...
So here my thoughts - again:
Based on my expierence - (I am a lazy person....) - email notifications and SB is not the most efficient way to get it done. Here is why:
- SIEM: It sounds like you need one, but you don't have one.... Why don't get a free trial/PoC (not full SIEM solution) underway to show to the business why that little investment will prevent not only you but your manager/director/C-exec be on annoying calls for nothing? 😛 McAfee Event Reporter can help you there.... and if not McAfee then check any other SIEM/syslog server with query language available to help you. It is definitely worth the effort...
-Second: if you aren't using a SIEM, are you using logical subinterfaces on NSP? Depending on what is that you are protecting, you should be able to map IP addresses to subinterfaces, where only the relevant alerts are triggered? I.e. think you are protecting digital platforms... each platform has its public IP, then internal webservers cluster, app servers, db servers, etc.... which you can logically organise on NSM using subinterfaces (CIDR/VLAN)
-Third: Baseline and tuning - always better after logical subinterfaces are created.... Even if you get 5M alerts a day, once you have logical subinterfaces defininig your online platforms (or offices, or internal segments, whtever)... it is much much easier to spend half a day on baseline and tuning and create ignore rules/advanced fw rules to prevent 'true positive with no security impact' alerts to trigger....
OK, there is some work to do in gathering the IP information for the different apps, offices, segments, etc... and then looking at the sigs you should apply, and then baseline and tuning... but if you can spend 3 days on this and create a defined process on what's a high risk alert or not.... how many hours won't you be on the phone?
If you have a SIEM, connected to CMDB or similar, and you can import vulnerability scan data.. and have some knowledgeable analysts doing the baseline/tuning of the policies applied to that logical subinterface... You will save time and effort... Trust me... An experienced IPS analysts should get *usually* 80% or more reduction on IPS alert with little effort..
As I said..I am lazy.... so minimum effot for max return is my thing.
Trying to work this out based on SB rules and email notifications sounds "interesting".. but not for me.... thanks! 😉
Hope this helps.
P:S:. And if you or anyone else looks into the API option, I would be interested in knowing if it is doable or not, thx!