McAfee M4050 Troubleshooting Guide - Page 45

Correct identification; significance subject to user sensitivity (also known as noise)

Get McAfee M4050 - Network Security Platform PDF manuals and user guides
UPC - 731944582832
View all McAfee M4050 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 45 highlights

McAfee® Network Security Platform 6.0 Determining False Positives Correct identification; significance subject to user sensitivity (also known as noise) There is another type of event which you may not be interested in, due to the perceived severity of the event. For example, Network Security Platform will detect a UDP-based host sweep when a given host sends UDP packets to a certain number of distinct destinations within a given time interval. Although you can tune this detection by configuring the threshold and the interval according to their sensitivity, it's still possible that some or all of the host IPs being scanned are actually not live. Some users will consider these alerts as noise, others will take notice because it indicates possible reconnaissance activity. Another example of noise would be if someone attempted an IIS-based attack against your Apache Web server. This is a hostile act, but it will not actually harm anything except wasting some network bandwidth. Again, a would-be attacker learns something he can use against your network: Relevance analysis involves the analysis of the vulnerability relevance of real-time alerts, using the vulnerability data imported to Manager database. The imported vulnerability data can be from Vulnerability Manager or other supported vulnerability scanners such as Nessus.The fact that the attack failed can help in zero in on the type of Web server you use. Users can also better manage this type of events through policy customization or installing attack filters. The noise-to-incorrect-identification ratio can be fairly high, particularly in the following conditions:  the configured policy includes a lot of Informational alerts, or scan alerts which are based on request activities (such as the All Inclusive policy)  deployment links where there is a lot of hostile traffic, such as in front of a firewall  overly coarse traffic VIDS definition that contains very disparate applications, for example, a highly aggregated link in dedicated interface mode Users can effectively manage the noise level by defining appropriate VIDS and customize the policy accordingly. For dealing with exceptional hosts, such as a dedicated pentest machine, alert filters can also be used. Determining a false positive versus noise Some troubleshooting tips for gathering the proper data to determine whether you are dealing with a false positive or uninteresting event;  What did you expect to see? What is the vulnerability, if applicable, that the attack indicated by the alert is supposed to exploit?  Ensure that you capture valid traffic dumps that are captured from the attack attempt (for example, have packet logging enabled and can view the resulting packet log)  Determine whether any applications are suspected of triggering the alert-which ones, which versions, and in what specific configurations. If you intend to work with McAfee Technical Support on the issue, we ask that you provide the following information to assist in troubleshooting:  If this occurred in a lab using testing tools rather than live traffic, please provide detailed information of the attack/test tool used, including its name, version, configuration and where the traffic originated.  If this is a testing environment using a traffic dump relay, make sure that the traffic dumps are valid, TCP traffic follows a proper 3-way handshake, and so on  Also, please provide detailed information of the test configuration in the form of a network diagram. 36

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
McAfee® Network Security Platform 6.0
Determining False Positives
36
Correct identification; significance subject to user sensitivity (also known
as noise)
There is another type of event which you may not be interested in, due to the perceived
severity of the event. For example, Network Security Platform will detect a UDP-based
host sweep when a given host sends UDP packets to a certain number of distinct
destinations within a given time interval. Although you can tune this detection by
configuring the threshold and the interval according to their sensitivity, it's still possible that
some or all of the host IPs being scanned are actually not live. Some users will consider
these alerts as
noise
, others will take notice because it indicates possible reconnaissance
activity. Another example of noise would be if someone attempted an IIS-based attack
against your Apache Web server. This is a hostile act, but it will not actually harm anything
except wasting some network bandwidth. Again, a would-be attacker learns something he
can use against your network: Relevance analysis involves the analysis of the vulnerability
relevance of real-time alerts, using the vulnerability data imported to Manager database.
The imported vulnerability data can be from Vulnerability Manager or other supported
vulnerability scanners such as Nessus.The fact that the attack failed can help in zero in on
the type of Web server you use. Users can also better manage this type of events through
policy customization or installing attack filters.
The noise-to-incorrect-identification ratio can be fairly high, particularly in the following
conditions:
the configured policy includes a lot of Informational alerts, or scan alerts which are
based on request activities (such as the All Inclusive policy)
deployment links where there is a lot of hostile traffic, such as in front of a firewall
overly coarse traffic VIDS definition that contains very disparate applications, for
example, a highly aggregated link in dedicated interface mode
Users can effectively manage the noise level by defining appropriate VIDS and customize
the policy accordingly. For dealing with exceptional hosts, such as a dedicated pentest
machine, alert filters can also be used.
Determining a false positive versus noise
Some troubleshooting tips for gathering the proper data to determine whether you are
dealing with a false positive or uninteresting event;
What did you expect to see? What is the vulnerability, if applicable, that the attack
indicated by the alert is supposed to exploit?
Ensure that you capture valid traffic dumps that are captured from the attack attempt
(for example, have packet logging enabled and can view the resulting packet log)
Determine whether any applications are suspected of triggering the alert—which
ones, which versions, and in what specific configurations.
If you intend to work with McAfee Technical Support on the issue, we ask that you provide
the following information to assist in troubleshooting:
If this occurred in a lab using testing tools rather than live traffic, please provide
detailed information of the attack/test tool used, including its name, version,
configuration and where the traffic originated.
If this is a testing environment using a traffic dump relay, make sure that the traffic
dumps are valid, TCP traffic follows a proper 3-way handshake, and so on
Also, please provide detailed information of the test configuration in the form of a
network diagram.