Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
3
Replies

Dealing with False Positive alerts

Ronald Nutter
Level 1
Level 1

‎08-20-2008 01:09 PM - edited ‎03-10-2019 04:15 AM

I have hits on a BO2K-UDP signature. I looked up the ip address on Arin and it is from a company that we would probably do business with. Using nmap, I fingerprinted the remote server and it appears to be a standard MS Web/Mail server.

How do I tell IPS to ignore the host while paying attention to the rule ?

Ron

Labels:
0 Helpful
3 Replies 3

genewolfe
Level 1
Level 1

‎08-20-2008 03:37 PM

Set up an Event Action Filter to subtract the action of producing an alert when the alert includes for instance from attacker ip on port 4500 to this victim ip on port 4500 and the reverse

I'm not sure if that's what you're asking but I hope that helps

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-20-2008 06:59 PM

Do the 'event action filter' bit only if you are seeing this event numerous times. Occasionally any web client (browser) could choose the source port 4500 at random. The returning traffic from the web server to the client on port 4500 is consider BO2K by the IPS.

Regards

Farrukh

0 Helpful

mdreelan
Level 1
Level 1

‎08-21-2008 12:31 PM

4500 UDP is for VPN tunnels. It is often a false positive for what you referenced. Just create Flase Postive event for the two hosts and tune it to log to DB only if you are using CSMARS, and I think it has already been answered for the IPS.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card