Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
1
Replies

Investigating alerts for false positives

twiggles
Level 1
Level 1

‎02-07-2003 04:45 PM - edited ‎03-09-2019 02:01 AM

I come from Snort IDS so pardon my confusion. I have been asked by my boss(es) to trim down the number of alerts we are seeing by culling false positives and perhaps adjusting thresholds. My problem is simply that my first step in determining the validity of alarms is *looking at the signature*.

Obviously I'm not the only one in this situation. Does anyone have any advice/help/suggestions for a newbie to closed-signature investigation? How do you know what's worth looking at and what's likely false?

Labels:
0 Helpful
1 Reply 1

n-timm
Level 1
Level 1

‎02-08-2003 12:43 PM

The best way to start is to filter the data so you know what signatures fire most often then start by investigating those maybe entering excluded patterns or possible tuning the sig depending on your network. Just work your way down the list Using the if you use SigWizMenu you can do the actuall tun the signatures also.

0 Helpful
Customers Also Viewed These Support Documents