False Positives - Filter them at the IPS or in MARS?
I am currently in the process of configuring MARS to monitor two Cisco 4215 IPS sensors. I have rebuilt both of the sensors with the latest software (5.1d) and signatures and they are loggin events as expected.
My question is, where is it best to filter out the false positives, at the IPS device or at the MARS device? I have always been doing it at the individual IPS once I discover that there is one. Does anyone have any input or a best practice suggestion in regards to this?
Edit: This was answered in another post that I so blatantly missed.
Re: False Positives - Filter them at the IPS or in MARS?
I would say, it depends. If you wanted to see all the alarms, both false and true alrams, then do not filter at IPS. This may be useful in tuning the alarms and signatures during initial implementation. If your network is fairly stable, then you can disable the false alarms at the IPS. But it is always better to take a look at even the "false" alarms to make sure they are indeed "false". You will have to draw the line between the two options.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...