IPS False Positives

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPS False Positives

L4 Transporter

We are constantly seeing false positives like this. The victim is a Windows ActiveDirectory Server. I believe we need to add some sort of intelligence to the IPS in order to reduce these kind of false positives to an minimum.  Would it be possible to extract some intelligent information from the Firewall itself ? I mean basic information like Operating System would be a start. The Firewall might already have some deeper knowledge about an end system based on communication patterns.  Or even better PAN would have some API to an externel Vulnerability Management Tool like Qualys for example.  Roland

5 REPLIES 5

L6 Presenter

At the present time you will have to tune the vulnerability exceptions in your vulnerability profiles to reduce the rate of false positives in the threat logs and reports.

I do agree with you that there is an opportunity here to improve the product and I would suggest talking with your sales team about this idea so that they can submit a feature request on your behalf.

-Benjamin

Thanks Benjamin, I have forwarded the request to the local SE.  Roland

L4 Transporter

How do you know that it's a false positive? Have you opened a case with support and provided a pcap of the event? Just because the end host wasn't vulnerable to an attack doesn't necessarily mean that the attack didn't take place. There are some IPSs that will try to understand the host OS and use this information to either not show alerts for attacks or simply reduce the severity/confidence of the event. Since we don't have this functionality, I would rather fix the signature instead of build a feature to cover it up. Can you create a support case for the false positives that you're seeing?

Thanks,

Alfred

Simply because the "attacker" is our internal Mailserver and I can guarantee it's not compromised nor is this host infected. My focus was to point out that the end system is not vulnerable because it's not Lotus Domino LDAP Service running on it, and therefore it's a false positive. At the Moment PAN just does not know better about the victim, because it lacks the required intelligence.  But I agree with you the attack pattern could still be a match against the IPS signature for this vulnerability, but I don't want to get alerted in the middle of the night just to find out that the system is not vulnerable, not even the right OS or Service for a successfull attack, but the IPS has fired...  From my experience with several other standalone IPS vendors, be it McAfee Tipping Point or ISS, false positives are a pain. That's why Sourcefire for example has partnered up with Qualys to make a more reliable IPS (called 3D if I remember correctly) with less false positives.  I believe that's to way to go.  Roland

It would still be a good idea to open a ticket on this.  If the "attacker" is not compromised, then that means there might be a problem with the signature and it is matching on non-attack traffic.  On the other hand, there is the possibility that your mail server is compromised and you don't know it.  A call into support will help in both scenarios.

Cheers,

Kelly

  • 3659 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!