False positives must be mitigated as much as possible while still not creating new false negatives.
A few steps that will greatly reduce the number of false positives follow:
- Disable rules that are not relative to your environment. For example if you do not run Apache servers there is no reason to watch for attacks against Apache.
- When using anomaly detection IDS be sure to re-train for new applications as needed.
- Where possible, edit rules that are too broad.
- When rules can not be edited, create tight bypass rules that allow the legitimate traffic to pass without triggering an alert.
- For rules that are situational, be sure they are only enabled where they are relevant. For example, NBT traffic inside a Windows LAN environment is normal yet, the same traffic coming from the Internet may not be normal.
Daniel Owen
www.danielowen.com
