Dealing with False Positive alerts

Unanswered Question
Aug 20th, 2008
User Badges:

I have hits on a BO2K-UDP signature. I looked up the ip address on Arin and it is from a company that we would probably do business with. Using nmap, I fingerprinted the remote server and it appears to be a standard MS Web/Mail server.


How do I tell IPS to ignore the host while paying attention to the rule ?


Ron

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
genewolfe Wed, 08/20/2008 - 15:37
User Badges:

Set up an Event Action Filter to subtract the action of producing an alert when the alert includes for instance from attacker ip on port 4500 to this victim ip on port 4500 and the reverse


I'm not sure if that's what you're asking but I hope that helps

Farrukh Haroon Wed, 08/20/2008 - 18:59
User Badges:
  • Red, 2250 points or more

Do the 'event action filter' bit only if you are seeing this event numerous times. Occasionally any web client (browser) could choose the source port 4500 at random. The returning traffic from the web server to the client on port 4500 is consider BO2K by the IPS.


Regards


Farrukh

mdreelan Thu, 08/21/2008 - 12:31
User Badges:

4500 UDP is for VPN tunnels. It is often a false positive for what you referenced. Just create Flase Postive event for the two hosts and tune it to log to DB only if you are using CSMARS, and I think it has already been answered for the IPS.

Actions

This Discussion