IDS mailing list archives
Re: Tuning false positives
From: ismail syed <ismail_syed05 () yahoo com>
Date: Tue, 27 Dec 2005 21:29:57 -0800 (PST)
Hi Sam, If your infrastructure is heterogeneous with load balancers, proxies, backup server and other monitoring softwares then traffic from them will definitely generate lot of false alarms when sensed by IDS. Unchecking whole signature for reducing false alarms is not a good idea instead create filters by following below steps - Check with other teams who manage load balancers and other stuffs and note down the ports numbers, protocol and kind of traffic their software/hardware generate and the IP numbers of all these machines and clients. - Recognize the false events these devices fire and create filters in IDS policy from particular source to particular destination. Example: If LAN users access the internet through HTTP proxy you will see lot of HTTP based attacks form internal clients to proxy server which are false, so create filters for these IDS events from all LAN users to proxy server in IDS policy. Next time event won't trigger if the traffic is from LAN users to proxy, for other external attaks it will trigger the event. - Don't forget to document the filters you created with comments for future reference and note that this is continuous cycle. Regards Ismail -- Sam Heshbon <sheshbon () yahoo com> wrote:
My company is testing a few intrusion detection & prevention products. On the first few hours/days after deployment the machines alert on ten of thousands of events, which is way too much for us to ever go through, most of which are false alarms. The vendor�s solution is tuning the systems, which means shutting down signatures, detection mechanisms, omitting defragmentation tests and so on. These tunings do reduce dramatically the number of alerts, but it seems most of the detection capabilities have been shut off too, so things are nice and quite but we've no idea what's really going on in our network apart from catching the trivial threats such as old worms, which don�t get false alarms. Has anyone encountered this situation? Anyone got a solution? Thanks Sam __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Tuning false positives Sam Heshbon (Dec 27)
- Re: Tuning false positives ismail syed (Dec 27)
- RE: Tuning false positives Omar Herrera (Dec 27)
- Re: Tuning false positives Pukhraj Singh (Dec 27)
- Re: Tuning false positives David W. Goodrum (Dec 28)
- <Possible follow-ups>
- RE: Tuning false positives Gary Halleen (ghalleen) (Dec 27)
- RE: Tuning false positives Hazel, Scott A. (Dec 28)
- RE: Tuning false positives Balázs Imre (Dec 28)
- RE: Tuning false positives Gary Halleen (ghalleen) (Dec 28)