I have seen a spike in multiple vector attack source offenses in my deployment since adding in logs from our symantec host based firewall that runs on all of our workstations. we decided to collect the logs from these so that we could see the ips events, but so far all it has done is flag numerous multiple vector offenses a day for firewall allows coming from the symantec firewall.
Is there a good way to work on tuning these down? Or does anyone have any advice they have done to tune out false positive for multiple vector offenses in general?-------Posted BY Greg Mathes
This topic has been locked.
1 reply Latest Post - 2012-11-27T18:07:12Z by SystemAdmin
Pinned topic Multiple Vector Attack Source
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-11-27T18:07:12Z at 2012-11-27T18:07:12Z by SystemAdmin
SystemAdmin 110000D4XK184 PostsACCEPTED ANSWER
Re: Greg, which particular rule2012-11-27T18:07:12Z in response to SystemAdminGreg, which particular rule in QRadar is firing?
There are a number of ways you can tune this out depending on how much you are comfortable with. If you are not concerned about the Firewall allows at all, you could simply add "and NOT when Qid matches FW allow" to the rule that is triggering.
Posted By scott.vanwart