Which of the following is not a method of mitigating false positives on a Sourcefire device? (Select the best
answer.)
A.
disabling unnecessary Snort rules
B.
suppressing event notifications
C.
reporting false positives to Cisco Technical Support
D.
configuring an Allow action without inspection
E.
configuring a Block action
Explanation:
Configuring a Block action is not a method of mitigating false positives on a Sourcefire device. A false positive
occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) identifies nonmalicious
traffic as malicious. Sourcefire devices are commercial Cisco IDSs based on the opensource IDS known as
Snort. The Block action simply blocks traffic and does not perform any type of inspection. Although the Block
action might prevent notifications from false positives, it would also drop legitimate traffic.
Configuring an Allow action without inspection is a method of mitigating false positives on a Sourcefire device.
A Sourcefire device can match traffic based on a number of conditions, including security zones, networks,
virtual LAN (VLAN) tags, source or destination ports, applications, Uniform Resource Locators (URLs), or
users. The Sourcefire is also capable of handling traffic matching a given condition by applying an action, or
rule, to the traffic. The actions that are supported by a Sourcefire include all of the following:
– Monitor
– Trust
– Block
– Interactive Block
– Allow
A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs when an
Intrusion Policy is applied to this action. Applying an action without an Intrusion Policy performs the given action
when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an Allow actionwithout an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic from generating
a false positive. Conversely, you might apply an Allow action with an Intrusion Policy to permit all but malicious
traffic that matches a given condition.
Disabling unnecessary Snort rules is a method of mitigating false positives on a Sourcefire device.
Unnecessary rules include rules that are designed to prevent the exploitation of vulnerabilities that have been
fixed, rendering the rule obsolete. Disabling such rules prevents them from generating alerts based on
matching traffic.
Reporting false positives to Cisco Technical Support is a method of mitigating false positives on a
Sourcefire device. Default Sourcefire Snort rules that trigger notifications might need to be modified by Cisco’s
Vulnerability Research Team (VRT) if the rule is causing legitimate traffic to be dropped.
Suppressing event notifications by using the Sourcefire Suppression feature is a method of mitigating false
positives on a Sourcefire device. The Suppression feature will prevent the Sourcefire device from sending event
notifications. However, the Suppression feature does not prevent the Sourcefire from processing traffic.
Therefore, the generation of false positives might still be a drain on device resources. Also, legitimate traffic
could be silently dropped.Cisco: Options to Reduce False Positive Intrusion Events: Options to Reduce False Positive Alerts
Cisco: FireSIGHT System User Guide Version 5.4.1: Using Rule Actions to Determine Traffic Handling and
Inspection