Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Eleminating False positives

Hi,

We have IDS 4210 Box with 3.1 version and using VMS to monitor and manage the IDS box. We are using perl script for sending email notification when ever an event is triggered. The problem is we are receiving a lot of false positives for signatures like 4001, 4003, 5366 etc how can we eleminate detection of false positives.

Thanks and Regards

Salim

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Eleminating False positives

Hi,

You could utilise Cisco Threat response - that will get a feed directly from the Cisco IDS Sensors 3.X and 4.X and could assist is reducing false positives.

In a nutshell CTR will perform a range of checks against attack targets such as is the system the right OS, and in the case of windows systems, it will check Patch levels etc. It uses NMAP fingerprinting and agents currently I believe it is free and requires a windows 2000 box with fast processer to work.

The issue you will have with this is that it only escalates events using SNMP - so you would have to rely on your enterprise management to generate the emails.

It should dramatically reduce your events.

If you are using CSPM, you can also set the configure notifications to occur on the 1st occurance of an event, the Nth occurance and a reset timer to reduce the number of repeating events.

In IDS version 4.X you can perform a range of tuning including, fireone, summary events etc to futher reduce events generated.

2 REPLIES
New Member

Re: Eleminating False positives

Hello Salim

if you check the nsdb for the alarm signature updates it indicates that some of these alarms have been disabled due to the false alarms.

I seem to remember that http:tunnel signature, & 4001 were a couple that should have been disabled.

We had to turn them off since they were alarming on all proxy requests (http tunnel) and 4001 was way too chatty.

Check the NSDB on both signatures. Hope this helps

Mike

New Member

Re: Eleminating False positives

Hi,

You could utilise Cisco Threat response - that will get a feed directly from the Cisco IDS Sensors 3.X and 4.X and could assist is reducing false positives.

In a nutshell CTR will perform a range of checks against attack targets such as is the system the right OS, and in the case of windows systems, it will check Patch levels etc. It uses NMAP fingerprinting and agents currently I believe it is free and requires a windows 2000 box with fast processer to work.

The issue you will have with this is that it only escalates events using SNMP - so you would have to rely on your enterprise management to generate the emails.

It should dramatically reduce your events.

If you are using CSPM, you can also set the configure notifications to occur on the 1st occurance of an event, the Nth occurance and a reset timer to reduce the number of repeating events.

In IDS version 4.X you can perform a range of tuning including, fireone, summary events etc to futher reduce events generated.

94
Views
0
Helpful
2
Replies