One of my clients moved two of their email devices to a DMZ. The both produce alerts on the mass mailing worm alert. Before they were moved to the DMZ, you would see the alert and it would have a source and destination IP. Now it only has the destination IP address of where the device is sending email to. Since the MARS does not pick up the devices new IP address, I cannot false positive tune these alerts out. How would I go about fixing this issue?
When the IDS mistakenly thinks that normal traffic is malicious then false positives happen To reduce them you have to fine tune the system by letting it know what normal traffic means on your network.
Cisco has provided some great guidance on how to reduce false positives here:
Show Name: Thoughts on Security at Cisco Live US 2018 in Orlando
Contributors: Kevin Klous, David White Jr., Aaron Woland, Jeff Fanelli
Posting Date: June 2018
Description: The team goes on-site in the Cisco Live Speaker room in...
RADIUS and Symantec VIP.
I will use screenshots of ASDM, and at the end I will add the required CLI commands. the diagram below show a diagram of the steps the FW goes through when using 2FA authentication:
As you can see in Fig. 1&nbs...