How to tune a false positive alarm

Posted on 2009-04-21
Last Modified: 2012-05-06
Hello, in work we have just had a Cisco Mars appliance installed by a contractor and it is monitoring around 19 routers on our network.  Its up to me now to start tuning the false positives into something meaningful.

How do i go about picking 1 alarm and tuning it as a false positive so it is no longer displayed on the dash board, etc?

Just some quick info for me would really help.  Thank, Kevin
Question by:ohareka
    LVL 4

    Accepted Solution

    Since false positives happen when the IDS mistakenly thinks that normal traffic is malicious.  To reduce them you have to fine tune the system by letting it know what normal traffic means on your network.  

    Cisco has provided some great guidance on how to reduce false positives here:

    Author Closing Comment

    Looks as if i have some reading to do first but this is along the right lines of what i'm trying to do.  The link you have sent is helpful and accurate.  Thanks for your advice, Kevin
    LVL 4

    Expert Comment


    Keep in mind that fine-tuning will be an ongoing process.  In particular when there are changes to your network, such as new apps, new configuration, etc.

    Good luck!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Suggested Solutions

    Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
    Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now