• 1 reply
  • Latest Post - ‏2012-11-27T18:07:12Z by SystemAdmin
184 Posts

Pinned topic Multiple Vector Attack Source

‏2012-08-20T19:57:12Z |
I have seen a spike in multiple vector attack source offenses in my deployment since adding in logs from our symantec host based firewall that runs on all of our workstations. we decided to collect the logs from these so that we could see the ips events, but so far all it has done is flag numerous multiple vector offenses a day for firewall allows coming from the symantec firewall.

Is there a good way to work on tuning these down? Or does anyone have any advice they have done to tune out false positive for multiple vector offenses in general?-------Posted BY Greg Mathes
  • SystemAdmin
    184 Posts

    Re: Greg, which particular rule

    Greg, which particular rule in QRadar is firing?
    There are a number of ways you can tune this out depending on how much you are comfortable with. If you are not concerned about the Firewall allows at all, you could simply add "and NOT when Qid matches FW allow" to the rule that is triggering.
    Posted By scott.vanwart