66-58
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Examples of Event Analysis
Removing False Positive IPS Events from the Event Table
An IPS appliance or service module (IPS device) triggers an alarm when a given packet or sequence of
packets matches the characteristics of known attack profiles defined in the IPS signatures. False positives
(benign triggers) occur when the IPS reports certain benign activity as malicious. Because each event
requires human intervention to diagnose, spending your time analyzing false-positive events can
significantly drain resources.
Due to the nature of the IPS signatures that are used to detect malicious activity, it is almost impossible
to completely eliminate false positives without severely degrading the effectiveness of the IPS or
severely disrupting the computing infrastructure of an organization (such as hosts and networks).
Customized tuning when an IPS is deployed minimizes false positives. Periodic re-tuning is required
when the computing environment changes (for example, when new systems and applications are
deployed). IPS devices provide a flexible tuning capability that can minimize false positives during
steady-state operations.
An example of a false-positive is a network management station that periodically builds a network
discovery map by running ping sweeps. A ping sweep triggers the ICMP Network Sweep with Echo
signature (signature ID 2100). Thus, ICMP Network Sweep with Echo events that have the IP address
of the network management station as the source address are actually expected and desired events.
You have the following options to remove false-positive IPS events from the event table in Event Viewer:
Filter out events from known “clean” sources.
By filtering out the events, you do not stop their generation, but you also do not see them in the table.
Because they are still available (you can remove the filter), you can see the events if some particular
network behavior requires that you examine activity from the excluded host.
There are two main drawbacks to using this technique:
The events are still generated, adding events to the event store.
The filter excludes all events from a host. You cannot create a complex filter that excludes a
host/signature ID pair.
The procedure below shows how to filter out events from sources that you identify as clean.
Create event action filter rules to stop the generation of the false-positive events.
Event action filter rules are the easiest way to stop generating events, and are thus preferable to
editing signatures or creating custom signatures, which is a more difficult task. If you exclude a host
in an event action filter rule, the IPS device does not generate alarms or log records when the host
triggers the event.
Because you can target specific signatures, rather than making a blanket-exclusion of all events from
a host, you can eliminate only those events that you are certain are benign. For example, the
following event filter rule removes the Produce Alert action from the ICMP Network Sweep with
Echo (2100) signature for the network management station 10.100.15.75. The network mana gement
host is identified as the attacker address; the action specified in an event filter rule is actually the
action that is removed from the event. Note that if you create an event action override rule to add
other alert-producing actions to ICMP Network Sweep with Echo events, you must also remove the
override action in this rule.