Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
0
Helpful
2
Replies

MARS General FP Drop Rule vs. Listed Unconf. FPs

PAUL TRIVINO
Level 3
Level 3

‎06-01-2007 09:22 AM - edited ‎03-09-2019 06:05 PM

I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.

It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.

But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:

1. It will take a long time.

2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.

Any ideas?

Paul Trivino

Labels:
0 Helpful
2 Replies 2

bwalchez
Level 4
Level 4

‎06-07-2007 01:18 PM

Try this to prevent System Determined False Positives from displaying as incidents?

If you confirm what was previously an unconfirmed false positive, then a

drop rule is created. That drop rule should prevent any further incidents

of that type. So, this shouldn't be happening. Please make sure you've

clicked `Activate'.

Check the related bug-id:CSCsc74104

0 Helpful

PAUL TRIVINO
Level 3
Level 3
In response to bwalchez

‎06-07-2007 01:39 PM

Sorry, System Determined False Positives is not what I was asking about, just how to get rid of the "leftover" UFP's once I've created a Drop Rule. Thanx.

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents