Tuning issue with false positive

Unanswered Question
Jul 29th, 2009
User Badges:

One of my clients moved two of their email devices to a DMZ. The both produce alerts on the mass mailing worm alert. Before they were moved to the DMZ, you would see the alert and it would have a source and destination IP. Now it only has the destination IP address of where the device is sending email to. Since the MARS does not pick up the devices new IP address, I cannot false positive tune these alerts out. How would I go about fixing this issue?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
a-vazquez Tue, 08/04/2009 - 13:39
User Badges:
  • Silver, 250 points or more

When the IDS mistakenly thinks that normal traffic is malicious then false positives happen To reduce them you have to fine tune the system by letting it know what normal traffic means on your network.

Cisco has provided some great guidance on how to reduce false positives here:


pmccubbin Wed, 08/05/2009 - 04:25
User Badges:
  • Silver, 250 points or more

I agree 100% with Anthony. You must tune the IDS and reduce the false positives at the source, not try to tune them on MARS.

A "5" from NYC.


This Discussion