IDS mailing list archives

RE: Tuning false positives

From: "Hazel, Scott A." <Scott.Hazel () unisys com>
Date: Wed, 28 Dec 2005 01:38:36 -0500

Hello Sam. 

IDS/IPS tuning is (or can be) a very time consuming process depending on
what you'd really like to see. I have the following suggestions. 

Compare your security policy with your network usage policy and
determine if there is a type of traffic you just don't care to see in
the IDS. For example, if you know that gambling or porn sites are
against company policy do you want to monitor this traffic with the IDS?
In some cases, this is less a security concern than a network usage
issue (HR policy). This type of traffic can open doors to more serious
security issues (malicious web sites, etc.) but there should be other
signatures monitoring those vectors. 

I agree with your points on reducing alert volume vs. system
functionality. I would avoid turning off signatures entirely if
possible. Sometimes is can't be avoided but it would be better to focus
on the source/destination addresses and try to utilize filters that
reduce the largest volume alerts first. In my experience it's much
easier to tune a system if you are intimate with the network involved.
For example, on a Microsoft network you'll know where your DC's etc. are
located. If you are getting a high volume of alerts on the netbios or
SMB ports from your internal hosts to your DC's then you could filter
those servers as destinations and/or filter your internal network ranges
as sources.  There will always be some trade-off of visibility vs.
manageable volume. Once the volume is down to an acceptable level (aka,
one you can manage), then you can return to these filters and possibly
make them more specific. A similar approach could be taken with other
server types (Apache servers on Unix seeing MS IIS exploit attempts).  

A dynamic network environment can also complicate this process. Don't
bother tuning against /32 host IP's if they're part of a RA pool or DHCP
pool that changes frequently. 

One last suggestion is to consider criticality of the alerts and or
signatures. ISS keeps it simple with low, medium, high categorization
whereas Dragon breaks out into categories like Probes, Attacks,
Compromise, etc. It may seem obvious which of these is most important
but it requires more thought than just saying "focus on the high
alerts". In the beginning you may wish to focus on the most critical
alerts for review and work your way out to the less critical. 

Tuning is a never ending process unless your network remained completely
static. Hope these suggestions are helpful. 

Scott Hazel


        

-----Original Message-----
From: Sam Heshbon [mailto:sheshbon () yahoo com] 
Sent: Sunday, December 25, 2005 6:21 AM
To: focus-ids () lists securityfocus com
Subject: Tuning false positives

My company is testing a few intrusion detection & prevention products.
On the first few hours/days after deployment the machines alert on ten
of thousands of events, which is way too much for us to ever go through,
most of which are false alarms.
   
The vendor's solution is tuning the systems, which means shutting down
signatures, detection mechanisms, omitting defragmentation tests and so
on. These tunings do reduce dramatically the number of alerts, but it
seems most of the detection capabilities have been shut off too, so
things are nice and quite but we've no idea what's really going on in
our network apart from catching the trivial threats such as old worms,
which don't get false alarms.
Has anyone encountered this situation? Anyone got a solution?
   
Thanks
   
Sam



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

Tuning false positives Sam Heshbon (Dec 27)
- Re: Tuning false positives ismail syed (Dec 27)
- RE: Tuning false positives Omar Herrera (Dec 27)
- Re: Tuning false positives Pukhraj Singh (Dec 27)
- Re: Tuning false positives David W. Goodrum (Dec 28)
- <Possible follow-ups>
- RE: Tuning false positives Gary Halleen (ghalleen) (Dec 27)
- RE: Tuning false positives Hazel, Scott A. (Dec 28)
- RE: Tuning false positives Balázs Imre (Dec 28)
- RE: Tuning false positives Gary Halleen (ghalleen) (Dec 28)