SM-26—Intrusion Detection Systems

1. Inspect the Organization has a policy or standard that details the use and management of intrusion detection system (IDS) or intrusion prevention system (IPS) tools on its in-scope systems. 2. Obtain a list of all in-scope systems, and for a given sample, confirm that IDS/IPS is running on those systems, and that they are up to date. 3. Inspect the IDS/IPS rulesets and ensure that they are configured with the items below: • signature definitions are updated including the removal of false positive signatures • non-signature based attacks are defined • IDS/IPS are configured to capture malicious (both signature and non-signature based) traffic • alerts are reviewed and resolved by authorized personnel when malicious traffic is detected 4. For a sample of alerts, confirm that they were reviewed and resolved by the authorized personnel. 5. Observe configuration showing that IDS/IPS tools cannot be disabled except by authorized personnel and can only be disabled with a proper justification and for a limited time.