Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

False Positives - Filter them at the IPS or in MARS?

I am currently in the process of configuring MARS to monitor two Cisco 4215 IPS sensors. I have rebuilt both of the sensors with the latest software (5.1d) and signatures and they are loggin events as expected.

My question is, where is it best to filter out the false positives, at the IPS device or at the MARS device? I have always been doing it at the individual IPS once I discover that there is one. Does anyone have any input or a best practice suggestion in regards to this?

Matt

Edit: This was answered in another post that I so blatantly missed.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddaebb0

1 REPLY
Bronze

Re: False Positives - Filter them at the IPS or in MARS?

I would say, it depends. If you wanted to see all the alarms, both false and true alrams, then do not filter at IPS. This may be useful in tuning the alarms and signatures during initial implementation. If your network is fairly stable, then you can disable the false alarms at the IPS. But it is always better to take a look at even the "false" alarms to make sure they are indeed "false". You will have to draw the line between the two options.

96
Views
0
Helpful
1
Replies