Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to tune a false positive alarm

Posted on 2009-04-21
3
Medium Priority
?
677 Views
Last Modified: 2012-05-06
Hello, in work we have just had a Cisco Mars appliance installed by a contractor and it is monitoring around 19 routers on our network.  Its up to me now to start tuning the false positives into something meaningful.

How do i go about picking 1 alarm and tuning it as a false positive so it is no longer displayed on the dash board, etc?

Just some quick info for me would really help.  Thank, Kevin
0
Comment
Question by:ohareka
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
newbieal earned 1500 total points
ID: 24199305
Since false positives happen when the IDS mistakenly thinks that normal traffic is malicious.  To reduce them you have to fine tune the system by letting it know what normal traffic means on your network.  

Cisco has provided some great guidance on how to reduce false positives here:
http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008072f396.html#wp1030968
0
 

Author Closing Comment

by:ohareka
ID: 31573022
Looks as if i have some reading to do first but this is along the right lines of what i'm trying to do.  The link you have sent is helpful and accurate.  Thanks for your advice, Kevin
0
 
LVL 4

Expert Comment

by:newbieal
ID: 24219530
Kevin,

Keep in mind that fine-tuning will be an ongoing process.  In particular when there are changes to your network, such as new apps, new configuration, etc.

Good luck!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question