https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122170#M79092 <HTML><HEAD></HEAD><BODY><P>4500 UDP is for VPN tunnels. It is often a false positive for what you referenced. Just create Flase Postive event for the two hosts and tune it to log to DB only if you are using CSMARS, and I think it has already been answered for the IPS.</P></BODY></HTML> Thu, 21 Aug 2008 19:31:15 GMT mdreelan 2008-08-21T19:31:15Z https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122167#M79088 <P>I have hits on a BO2K-UDP signature. I looked up the ip address on Arin and it is from a company that we would probably do business with. Using nmap, I fingerprinted the remote server and it appears to be a standard MS Web/Mail server.</P><P></P><P>How do I tell IPS to ignore the host while paying attention to the rule ?</P><P></P><P>Ron</P> Sun, 10 Mar 2019 11:15:34 GMT https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122167#M79088 Ronald Nutter 2019-03-10T11:15:34Z https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122168#M79089 <HTML><HEAD></HEAD><BODY><P>Set up an Event Action Filter to subtract the action of producing an alert when the alert includes for instance from attacker ip on port 4500 to this victim ip on port 4500 and the reverse</P><P></P><P>I'm not sure if that's what you're asking but I hope that helps</P></BODY></HTML> Wed, 20 Aug 2008 22:37:14 GMT https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122168#M79089 genewolfe 2008-08-20T22:37:14Z https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122169#M79091 <HTML><HEAD></HEAD><BODY><P>Do the 'event action filter' bit only if you are seeing this event numerous times. Occasionally any web client (browser) could choose the source port 4500 at random. The returning traffic from the web server to the client on port 4500 is consider BO2K by the IPS. </P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 21 Aug 2008 01:59:14 GMT https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122169#M79091 Farrukh Haroon 2008-08-21T01:59:14Z https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122170#M79092 <HTML><HEAD></HEAD><BODY><P>4500 UDP is for VPN tunnels. It is often a false positive for what you referenced. Just create Flase Postive event for the two hosts and tune it to log to DB only if you are using CSMARS, and I think it has already been answered for the IPS.</P></BODY></HTML> Thu, 21 Aug 2008 19:31:15 GMT https://community.cisco.com/t5/network-security/dealing-with-false-positive-alerts/m-p/1122170#M79092 mdreelan 2008-08-21T19:31:15Z