IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Tuning false positives

From: Sam Heshbon <sheshbon () yahoo com>
Date: Sun, 25 Dec 2005 03:20:44 -0800 (PST)
My company is testing a few intrusion detection & prevention products. On the first few hours/days
after deployment the machines alert on ten of thousands of events, which is way too much for us to
ever go through, most of which are false alarms.
   
The vendor’s solution is tuning the systems, which means shutting down signatures, detection
mechanisms, omitting defragmentation tests and so on. These tunings do reduce dramatically the
number of alerts, but it seems most of the detection capabilities have been shut off too, so
things are 
nice and quite but we've no idea what's really going on in our network apart from catching the
trivial threats such as old worms, which don’t get false alarms.
Has anyone encountered this situation? Anyone got a solution?
   
Thanks
   
Sam



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: