Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IPS 4200 Series Sensors

Cisco Secure IDS - Excluding False Positive Alarms

Downloads

Document ID: 13876


Cisco has announced the End-of-Sale (EoS) for the Cisco Secure IDS Director. Refer to Product Bulletin No. 1978 for more information.

Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
False Positive and False Negative Alarms
The Cisco Secure IDS Exclude Mechanism
      Exclude a Host
      Exclude a Network
Globally Disable Signatures
Exclude Alarms Temporarily
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document discusses the exclusion of false positive alarms for Cisco Secure Intrusion Detection System (IDS).

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Cisco Secure Intrusion Detection System (IDS) version 2.2.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

False Positive and False Negative Alarms

Cisco Secure IDS (formerly NetRanger) triggers an alarm when a given packet or sequence of packets matches the characteristics of known attack profiles defined in the Cisco Secure IDS signatures. A critical IDS signature design criterion is to minimize the occurrence of false positive and false negative alarms.

False positives (benign triggers) occur when the IDS reports certain benign activity as malicious. This requires human intervention to diagnose the event. A large number of false positives can significantly drain resources, and the specialized skills required to analyze them are costly and difficult to find.

False negatives occur when the IDS does not detect and report actual malicious activity. The consequence of this can be catastrophic and signatures must be continuously updated as new exploits and hacking techniques are discovered. Minimizing false negatives is given a very high priority, sometimes at the expense of higher occurrences of false positives.

Due to the nature of the signatures that IDSs use to detect malicious activity, it is almost impossible to completely eliminate false positives and negatives without severely degrading the effectiveness of the IDS or severely disrupting the computing infrastructure of an organization (such as hosts and networks). Customized tuning when an IDS is deployed minimizes false positives. Periodic re-tuning is required when the computing environment changes (for example, when new systems and applications are deployed). Cisco Secure IDS provides a flexible tuning capability that can minimize false positives during steady-state operations.

The Cisco Secure IDS Exclude Mechanism

Cisco Secure IDS provides the capability to exclude a specific signature from or to a specific host or network addresses. Excluded signatures do not generate alarm icons or log records when they are triggered from the hosts or networks that are specifically excluded through this mechanism. For example, a network management station might perform network discovery by running ping sweeps, which trigger the ICMP Network Sweep with Echo signature (signature ID 2100). If you exclude the signature, you do not have to analyze the alarm and delete it every time the network discovery process runs.

Note: You can exclude only a host as the source of the alarm through the Excluded Addresses tab.

Exclude a Host

Complete these steps to exclude a specific host (a source IP address) from generating a specific signature alarm:

  1. Select the Excluded Addresses tab in the Intrusion Detection window in nrConfigure.

    main.gif

  2. Click Add.

  3. Type the Signature, Subsignature, and Network Address, as in this window. Then click OK.

    Host_add.gif

Exclude a Network

The Excluded Networks tab excludes specific signatures based on a source or destination network address. Use the Addr Role field on the add window to specify whether the defined network address is an alarm source, destination, or both. The Excluded Networks tab can also be used to exclude individual hosts if you specify a host IP address and use a 32-bit Subnet Mask. When you use the Excluded Networks tab to exclude hosts, you can use the Addr Role field to designate the host as an alarm destination. The Excluded Hosts tab limits you to defining alarm sources.

Complete these steps to exclude a network from generating a specific signature alarm:

  1. Select the Excluded Networks tab in the Intrusion Detection window in nrConfigure.

    net_main.gif

  2. Click Add.

  3. Type the Signature, Subsignature, Network Address, and Subnet Mask, and select Source, Destination, or Both for the Addr Role. Then click OK.

    Networks_add.gif

Globally Disable Signatures

You might want to disable a signature from alarming at any time. Specify a severity level of 0 (zero) in the loggerd or smid (or both loggerd and smid) columns in the General Signatures window to globally disable a signature. For example, the highlighted signature in this window (signature ID 2100) has severity levels of zero defined for both loggerd and smid. This means that ping sweeps are not logged or displayed as alarm icons in the HPOV display.

global.gif

Exclude Alarms Temporarily

If you right-click an alarm icon, an Exclude Alarm menu option appears. This option applies an exclude for that specific signature ID and the source IP address of the alarm in the running configuration on the Sensor. This exclude is not written to the Sensor configuration files, so the exclude is lost any time the packetd process is restarted (for example, when you apply a new configuration).

Note: You cannot view or delete excludes applied this way. Use caution when you use this feature. If you mistakenly apply an exclude this way, use one of these methods to restart packetd on the Sensor to remove it:

  1. Click the Sensor icon in HP Open View (HPOV).

  2. Select Security > Daemons > Restart.

or

  1. In the Machine/Services submap, right-click the packetd icon.

  2. Select Control > Stop Daemon.

  3. Select Start Daemon to re-start packetd.

Use the Excluded Addresses or Excluded Networks tabs to make the exclude persistent.

alarm.gif

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for Security
Security: Intrusion Detection [Systems]
Security: AAA
Security: General
Security: Firewalling

Related Information

Updated: Dec 04, 2005Document ID: 13876