06-01-2007 09:22 AM - edited 03-09-2019 06:05 PM
I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.
It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.
But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:
1. It will take a long time.
2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.
Any ideas?
Paul Trivino
06-07-2007 01:18 PM
Try this to prevent System Determined False Positives from displaying as incidents?
If you confirm what was previously an unconfirmed false positive, then a
drop rule is created. That drop rule should prevent any further incidents
of that type. So, this shouldn't be happening. Please make sure you've
clicked `Activate'.
Check the related bug-id:CSCsc74104
06-07-2007 01:39 PM
Sorry, System Determined False Positives is not what I was asking about, just how to get rid of the "leftover" UFP's once I've created a Drop Rule. Thanx.
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: