Hi Sam,
If your infrastructure is heterogeneous with load
balancers, proxies, backup server and other monitoring
softwares then traffic from them will definitely
generate lot of false alarms when sensed by IDS.
Unchecking whole signature for reducing false alarms
is not a good idea instead create filters by following
below steps
- Check with other teams who manage load balancers and
other stuffs and note down the ports numbers, protocol
and kind of traffic their software/hardware generate
and the IP numbers of all these machines and clients.
- Recognize the false events these devices fire and
create filters in IDS policy from particular source
to particular destination.
Example: If LAN users access the internet through
HTTP proxy you will see lot of HTTP based attacks form
internal clients to proxy server which are false, so
create filters for these IDS events from all LAN users
to proxy server in IDS policy. Next time event won't
trigger if the traffic is from LAN users to proxy, for
other external attaks it will trigger the event.
- Don't forget to document the filters you created
with comments for future reference and note that this
is continuous cycle.
Regards
Ismail
-- Sam Heshbon <sheshbon@yahoo.com> wrote:
My company is testing a few intrusion detection &
prevention products. On the first few hours/days
after deployment the machines alert on ten of
thousands of events, which is way too much for us to
ever go through, most of which are false alarms.
The vendor�s solution is tuning the systems, which
means shutting down signatures, detection
mechanisms, omitting defragmentation tests and so
on. These tunings do reduce dramatically the
number of alerts, but it seems most of the detection
capabilities have been shut off too, so
things are
nice and quite but we've no idea what's really going
on in our network apart from catching the
trivial threats such as old worms, which don�t get
false alarms.
Has anyone encountered this situation? Anyone got a
solution?
Thanks
Sam
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________
Yahoo! DSL ? Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
