Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
2
Replies

Eleminating False positives

Go to solution
s.surani
Level 1
Level 1

‎10-06-2003 04:16 AM - edited ‎03-09-2019 05:02 AM

Hi,

We have IDS 4210 Box with 3.1 version and using VMS to monitor and manage the IDS box. We are using perl script for sending email notification when ever an event is triggered. The problem is we are receiving a lot of false positives for signatures like 4001, 4003, 5366 etc how can we eleminate detection of false positives.

Thanks and Regards

Salim

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ishah
Level 1
Level 1
In response to 5mlattimore

‎10-08-2003 07:38 AM

Hi,

You could utilise Cisco Threat response - that will get a feed directly from the Cisco IDS Sensors 3.X and 4.X and could assist is reducing false positives.

In a nutshell CTR will perform a range of checks against attack targets such as is the system the right OS, and in the case of windows systems, it will check Patch levels etc. It uses NMAP fingerprinting and agents currently I believe it is free and requires a windows 2000 box with fast processer to work.

The issue you will have with this is that it only escalates events using SNMP - so you would have to rely on your enterprise management to generate the emails.

It should dramatically reduce your events.

If you are using CSPM, you can also set the configure notifications to occur on the 1st occurance of an event, the Nth occurance and a reset timer to reduce the number of repeating events.

In IDS version 4.X you can perform a range of tuning including, fireone, summary events etc to futher reduce events generated.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
5mlattimore
Level 1
Level 1

‎10-06-2003 10:56 AM

Hello Salim

if you check the nsdb for the alarm signature updates it indicates that some of these alarms have been disabled due to the false alarms.

I seem to remember that http:tunnel signature, & 4001 were a couple that should have been disabled.

We had to turn them off since they were alarming on all proxy requests (http tunnel) and 4001 was way too chatty.

Check the NSDB on both signatures. Hope this helps

Mike

0 Helpful

Go to solution
ishah
Level 1
Level 1
In response to 5mlattimore

‎10-08-2003 07:38 AM

Hi,

You could utilise Cisco Threat response - that will get a feed directly from the Cisco IDS Sensors 3.X and 4.X and could assist is reducing false positives.

In a nutshell CTR will perform a range of checks against attack targets such as is the system the right OS, and in the case of windows systems, it will check Patch levels etc. It uses NMAP fingerprinting and agents currently I believe it is free and requires a windows 2000 box with fast processer to work.

The issue you will have with this is that it only escalates events using SNMP - so you would have to rely on your enterprise management to generate the emails.

It should dramatically reduce your events.

If you are using CSPM, you can also set the configure notifications to occur on the 1st occurance of an event, the Nth occurance and a reset timer to reduce the number of repeating events.

In IDS version 4.X you can perform a range of tuning including, fireone, summary events etc to futher reduce events generated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents