Three tips for reducing false alarms
By Joel Snyder
Network World, 06/24/02
If you decide to dive into intrusion-detection systems, these tips might help reduce your level of false positives and false alarms:
1. Map your network.
Build a map of your entire internal network, identifying all the hosts and services running on them. The more you tell the IDS about what is important in your network, the fewer false alarms you'll get.
For example, if you have Apache Web servers, you should tell the IDS not to look for attacks that are based on Microsoft Internet Information Server vulnerabilities on those servers.
If you've patched a server for Code Red, tell the IDS not to bother reporting Code Red attacks on that server.
2. Firewall your IDS
If you don't put the IDS behind your firewall, you'll learn lots of interesting things about knob-twisting out on the Internet.
Unfortunately, there's no point and nothing you can do with the information - you can spend all day complaining about port scans, and it won't do any good. The less traffic the IDS sees, the less it can complain about.
3. Use reporting tools
Sifting through a pile of events only gets you mired down in details without giving you much of a big picture. IDS reports, which provide summary information on what's going on over a macro scale, such as a 72-hour period, are more useful. Caution: You might have to write some of these tools yourself!