This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A lot of IPS false positives.

I am seeing a large number of false positives from the IPS.

Here is one that claims I downloaded a scrensaver from Sophos. I only downloaded the ISO and one update. Maybe a pattern or two...

https://www.threatcrowd.org/ip.php?ip=208.111.171.148

This one is FROM the internal IP of my UTM.

I suspect this is also a false positive. I will check it out tomorrow with some threat intel feeds and tools we have at work.

Is there anyway to view the packets or the actual triggers of these events?

I am looking into building a Security Onion box for this, but that has not happened yet.

Is there anyway to tweak the rules, other then turning off the IPS or a rule.

Are we ever going to be able to add/create rules for the IPS - or add other feeds?

Thanks,

C68

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

Well, the rule will be triggered every time the trigger happens, there's no limiter, so it can be very noisy if it's triggering on common traffic patterns. If you know it's a false positive, you can disable the rule or just disable notifications for the rule.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Scott_Klassen over 10 years ago

Well, the rule will be triggered every time the trigger happens, there's no limiter, so it can be very noisy if it's triggering on common traffic patterns. If you know it's a false positive, you can disable the rule or just disable notifications for the rule.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data