Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

False positive filter

I have IDS 4250 running 5.0 software. I mange it through IPSMC . I am getting lots of false positive on my IPSMC security monitor console. How do i filter it so it does not shows up in security monitor. In IDS 4.X version there was an option in IDSMC to create filter and exclude those false positives . I dont know how to do in in IPSMC with version 5.0. Thanks

Cisco Employee

Re: False positive filter

Use the "SigEvent Action Filters" section to create filters. These are the basic filters you know in v4.x but a lot more powerful now. For example, if you have actions on a particular sig of say, Produce Alert and TCP Reset, you can create a SigEvent Action Filter to just not do the TCP Reset if this sig fires for a certain address, etc. Before you pretty much just filtered the entire alert, but now you can filter particular actions on alerts (hence the name change).

If the only action you have on a particular signature is Produce Alert, then filter that action out in your new SigEvent Action Filter, and that in effect is doing the same thing as the filtering in v4.x.

Hope that helps.

New Member

Re: False positive filter

Hi I would really appreciate if some one would help me in this ,

It is about documentation process , If Security team figure out there is a false positive alarm , and want to add a filter or disbale an alarm , what is the noraml practice in the organization , Do they normally raize a change contriol to do it , Or have any security meeting with Server , Network team to develop a consensus what we need to do with this False alarm like disable the alarm or add filter.

CreatePlease login to create content