IBM Support

False positive on IBM host or network based IPS sensors

Question & Answer


Question

What should be done when you suspect a false positive on an IBM host or network based IPS?

Answer

When IBM X-Force creates or modifies a signature, this signature goes through extensive false positive testing. However, it is difficult for our developers to reproduce all possible network configurations. Occasionally, new false positives are discovered after the release of a signature. Often they are found by you, our customers!

We are dedicated to reducing false positives in our products. If you are experiencing false positives for a particular signature in your environment, you can report the false positive so that we can make our products better for you.

To submit a false positive report, contact IBM Security Systems Customer Support to open a PMR with, at a minimum, the following information.
  • An export of the false positive event(s) from the SiteProtector Analysis view. Make sure that you are viewing the events in the Event Analysis - Detail view when creating the export so that your export contains the specific details of the traffic that caused the signature to fire.
  • A brief summary of why you think this is a false positive.
  • The update version information for the sensor on which the alert was triggered.
  • If the false positive is being triggered by a specific software product or network configuration in your environment, a description of the software (with version information) or network configuration
Frequently, the following information is absolutely necessary for us to fix the false positive problem. If you can provide the following information in your initial report, it would be extremely helpful to us at Support:
  • A packet capture showing the traffic that caused the false positive. A packet capture is a file that contains a frame by frame record of network traffic over a specific period of time when the event was triggering.
  • Explicit instructions on how to reproduce the false positive.

[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSETH9","label":"Proventia Network Multi-Function Security"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSETBF","label":"IBM Security SiteProtector System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Connected Equipment","Platform":[{"code":"PF033","label":"Windows"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

2451

Document Information

Modified date:
21 March 2022

UID

swg21434828