I agree with you on this point. Most products are prone to false positives in the production environment, when run in their default mode. This highlights the lack of good QA testing methodology for the product. Most vendors rub their hands off after making signatures and protocols parsers. One thing they don't realize that QA is an equally important process because companies can't afford to drop (mission critical) sessions due to a false positives. I am afraid there's nothing much you can do except grill the vendors. The vendors, on the other hand should run their products against extensive amounts of normal and malicious traffic and if it is possible even test them in production environments with cooperation of the client.
Thanks Pukhraj On 12/25/05, Sam Heshbon <[EMAIL PROTECTED]> wrote: > My company is testing a few intrusion detection & prevention products. On the > first few hours/days > after deployment the machines alert on ten of thousands of events, which is > way too much for us to > ever go through, most of which are false alarms. > > The vendor's solution is tuning the systems, which means shutting down > signatures, detection > mechanisms, omitting defragmentation tests and so on. These tunings do reduce > dramatically the > number of alerts, but it seems most of the detection capabilities have been > shut off too, so > things are > nice and quite but we've no idea what's really going on in our network apart > from catching the > trivial threats such as old worms, which don't get false alarms. > Has anyone encountered this situation? Anyone got a solution? > > Thanks > > Sam > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
