Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Investigating alerts for false positives

I come from Snort IDS so pardon my confusion. I have been asked by my boss(es) to trim down the number of alerts we are seeing by culling false positives and perhaps adjusting thresholds. My problem is simply that my first step in determining the validity of alarms is *looking at the signature*.

Obviously I'm not the only one in this situation. Does anyone have any advice/help/suggestions for a newbie to closed-signature investigation? How do you know what's worth looking at and what's likely false?

New Member

Re: Investigating alerts for false positives

The best way to start is to filter the data so you know what signatures fire most often then start by investigating those maybe entering excluded patterns or possible tuning the sig depending on your network. Just work your way down the list Using the if you use SigWizMenu you can do the actuall tun the signatures also.

CreatePlease to create content