IDS mailing list archives

RE: Tuning false positives

From: "Gary Halleen (ghalleen)" <ghalleen () cisco com>
Date: Tue, 27 Dec 2005 20:38:56 -0800

Take a look at a good SIM product, like CS-MARS from Cisco Systems.
This correlates IPS/IDS events with firewall and other network device
logs, and also with vulnerability assessment tools (including NESSUS
built-in).  This correlation is again correlated with network topology
information, and automatically tunes your events for you.

In addition, there is a wealth of reports and query capabilities, as
well as a lot of options for manually creating rules and doing further
tuning.

Even though it is from Cisco, it works with most IDS/IPS and firewall
products, not just Cisco.

Gary
 


-----Original Message-----
From: Sam Heshbon [mailto:sheshbon () yahoo com] 
Sent: Sunday, December 25, 2005 3:21 AM
To: focus-ids () lists securityfocus com
Subject: Tuning false positives

My company is testing a few intrusion detection & prevention products.
On the first few hours/days after deployment the machines alert on ten
of thousands of events, which is way too much for us to ever go through,
most of which are false alarms.
   
The vendor's solution is tuning the systems, which means shutting down
signatures, detection mechanisms, omitting defragmentation tests and so
on. These tunings do reduce dramatically the number of alerts, but it
seems most of the detection capabilities have been shut off too, so
things are nice and quite but we've no idea what's really going on in
our network apart from catching the trivial threats such as old worms,
which don't get false alarms.
Has anyone encountered this situation? Anyone got a solution?
   
Thanks
   
Sam



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

Tuning false positives Sam Heshbon (Dec 27)
- Re: Tuning false positives ismail syed (Dec 27)
- RE: Tuning false positives Omar Herrera (Dec 27)
- Re: Tuning false positives Pukhraj Singh (Dec 27)
- Re: Tuning false positives David W. Goodrum (Dec 28)
- <Possible follow-ups>
- RE: Tuning false positives Gary Halleen (ghalleen) (Dec 27)
- RE: Tuning false positives Hazel, Scott A. (Dec 28)
- RE: Tuning false positives Balázs Imre (Dec 28)
- RE: Tuning false positives Gary Halleen (ghalleen) (Dec 28)