04-29-2005 06:17 AM - edited 03-10-2019 01:25 AM
I have recently installed 2 scanning machines on my network and am wondering what the best approach would be for ignoring the IDS alarms that they set off.
I am using VMS to view events from a number of sensors, it is set to view 50k events by default, when I go much higher than that my box craaawls, and with all the TCP SYN Host Sweep and TCP Syn Port Sweep alerts being generated by my 2 scanning boxes my 50k alerts are only covering a short timeframe.
The scanning machines are running windows 2003 with sql server on one of them so I dont want to eliminate alerts from them altogether but if I could somehow get rid of this enormous amount of noise that would be best.
So should I be tuning the alert on the sensor itself to exclude sig X and Y for attacker IPs of A and B? or can I build a filter in VMS so that when I view alerts it filters out any alerts from those IPs?
05-06-2005 06:45 AM
Good questions. This is another great example of "What's the best practice?" that I think we, as a community should better address.
Anyway, since you want to continue to protect the hosts you use to perform network scans, while at the same time filtering out the IDS alerts they generate while performing their assigned tasks, I'd like to suggest some event filters.
I'm going to assume you know how to build event filters, so I'll skip over the instructional elements and get right to the suggestions.
I suggest you start by identifying exactly which SigIDs are being generated by a typical scan (for example, 2100, 3002 and 3030 - which are ICMP netsweep w/ echo, TCP Syn Port sweep and TCP Syn Host sweep respectively. They are common occurrences when network scanners are at work). Take this list of SigIDs and combine it with the two IP addresses as sources to make a filter.
Quick tip - you can put all the SigIDs into one filter by separating them with commas (no spaces). This way, a single event filter can deal with multiple SigIDs for the two IP addresses.
IMHO, it's always better to squelch known false positive/accepted traffic at the sensors, vice filtering it out at the Monitoring Console. Essentially, this improves the value of your collected IDS alarms by not introducing unwanted data to your SecMon (or SIMS), which typicaly employs a backend DB. Less records in the DB means more efficient searches and reports can be generated from it.
I hope this helps,
Alex Arndt
06-10-2005 11:34 AM
I set a filter to exclude sig 3337-3338 here is the filter
AD Server Exclude 3337-3338 All Subsignatures Any 144.99.12.0/255.255.254.0
but I am still getting events in the security monitor do I have to set a event rule for this? or do I need an include in the IDS MC filter ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide