My company is testing a few intrusion detection & prevention products. On the first few hours/days after deployment the machines alert on ten of thousands of events, which is way too much for us to ever go through, most of which are false alarms. The vendors solution is tuning the systems, which means shutting down signatures, detection mechanisms, omitting defragmentation tests and so on. These tunings do reduce dramatically the number of alerts, but it seems most of the detection capabilities have been shut off too, so things are nice and quite but we've no idea what's really going on in our network apart from catching the trivial threats such as old worms, which dont get false alarms. Has anyone encountered this situation? Anyone got a solution? Thanks Sam
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
