Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
1
Replies

False Positives - Filter them at the IPS or in MARS?

mlinsemier
Level 1
Level 1

‎04-11-2006 11:31 AM - edited ‎03-10-2019 01:58 AM

I am currently in the process of configuring MARS to monitor two Cisco 4215 IPS sensors. I have rebuilt both of the sensors with the latest software (5.1d) and signatures and they are loggin events as expected.

My question is, where is it best to filter out the false positives, at the IPS device or at the MARS device? I have always been doing it at the individual IPS once I discover that there is one. Does anyone have any input or a best practice suggestion in regards to this?

Matt

Edit: This was answered in another post that I so blatantly missed.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddaebb0

Labels:
0 Helpful
1 Reply 1

pradeepde
Level 5
Level 5

‎04-17-2006 12:06 PM

I would say, it depends. If you wanted to see all the alarms, both false and true alrams, then do not filter at IPS. This may be useful in tuning the alarms and signatures during initial implementation. If your network is fairly stable, then you can disable the false alarms at the IPS. But it is always better to take a look at even the "false" alarms to make sure they are indeed "false". You will have to draw the line between the two options.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card