Billy,
you can defenitively disable IDS alerts for software which you don't have
running in your environment. I would even recommend so, as it is the only
way of reducing the number of alerts (especially the number of false
positives) to a manageable amount. As long as you produce to many alerts,
administrators tend to ignore them which will render your IDS ineffective.
Best regards
Reto Baumann
--------------------------------------------------------------------
Reto Baumann - GCFW, GCIA, GSEC, CCNA
IT Security Specialist, Strategic Outsourcing Security
"Billy Dodson"
<CraftedPacket@se
curitynerds.org> To
focus-ids@lists.securityfocus.com
31.12.2004 16:37 cc
Subject
Please respond to IDS event filtering
CraftedPacket
I am wanting to get an idea of what you guys out there filter from your
IDS sensors. Some of the sensors I monitor get TONS of events for MSSQL
control overflows. If the customer is patched for slammer and does not
have any SQL services on the internet, is it safe to filter out those
events? Do you still want to see that traffic even though you know your
are not vulnerable? Thanks!
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
