False positive filter

altaf007 · ‎10-24-2005

I have IDS 4250 running 5.0 software. I mange it through IPSMC . I am getting lots of false positive on my IPSMC security monitor console. How do i filter it so it does not shows up in security monitor. In IDS 4.X version there was an option in IDSMC to create filter and exclude those false positives . I dont know how to do in in IPSMC with version 5.0. Thanks

gfullage · ‎10-24-2005

Use the "SigEvent Action Filters" section to create filters. These are the basic filters you know in v4.x but a lot more powerful now. For example, if you have actions on a particular sig of say, Produce Alert and TCP Reset, you can create a SigEvent Action Filter to just not do the TCP Reset if this sig fires for a certain address, etc. Before you pretty much just filtered the entire alert, but now you can filter particular actions on alerts (hence the name change).

If the only action you have on a particular signature is Produce Alert, then filter that action out in your new SigEvent Action Filter, and that in effect is doing the same thing as the filtering in v4.x.

Hope that helps.

whhtnetwork · ‎01-14-2010

Hi I would really appreciate if some one would help me in this ,

It is about documentation process , If Security team figure out there is a false positive alarm , and want to add a filter or disbale an alarm , what is the noraml practice in the organization , Do they normally raize a change contriol to do it , Or have any security meeting with Server , Network team to develop a consensus what we need to do with this False alarm like disable the alarm or add filter.