Seldom cry wolf: Tuning out false positives on Network Intrusion Detection Systems

Intrusion Detection System (NIDS) management includes tasks such as system patching, signature updates and, of course, false positive identification and tuning. After attending SANS Downunder 2004 one of the major projects that I was deployed on was NIDS tuning for a financial services organization. Being familiar with problems associated with such projects, I resolved to design and implement a tuning methodology to make the tuning process less painful. This paper describes the tuning methodology design and implementation steps. It provides a step-by-step process of deployment within a medium size organization and focuses on providing a methodology that may be used as a starting point to identify and minimize false positives. The network infrastructure used for this project will be described and three (3) false positive tuning sample exercises provided. Additionally, the NIDS product used is Symantec ManHunt. I hope that this paper will provide a structured and stable way for NIDS analysts to tune out false positives in their respective systems. By doing so, they will have more time to carry out the fun activities such as cyber clashing with hackers, performing forensic investigations and engage in do-or-die incident handling exercises.