Topic
  • 1 reply
  • Latest Post - ‏2012-11-27T18:07:12Z by SystemAdmin
SystemAdmin
SystemAdmin
184 Posts

Pinned topic Multiple Vector Attack Source

‏2012-08-20T19:57:12Z |
I have seen a spike in multiple vector attack source offenses in my deployment since adding in logs from our symantec host based firewall that runs on all of our workstations. we decided to collect the logs from these so that we could see the ips events, but so far all it has done is flag numerous multiple vector offenses a day for firewall allows coming from the symantec firewall.

Is there a good way to work on tuning these down? Or does anyone have any advice they have done to tune out false positive for multiple vector offenses in general?-------Posted BY Greg Mathes
Updated on 2012-11-27T18:07:12Z at 2012-11-27T18:07:12Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: Greg, which particular rule

    ‏2012-11-27T18:07:12Z  
    Greg, which particular rule in QRadar is firing?
    There are a number of ways you can tune this out depending on how much you are comfortable with. If you are not concerned about the Firewall allows at all, you could simply add "and NOT when Qid matches FW allow" to the rule that is triggering.
    Posted By scott.vanwart