Which three statements are true with respect to IPS false positives? (Choose three.)
A.
An example of a false positive is when the IPS appliance produces an alert in response to the normal activities of the company’s network management system.
B.
Increasing the set of TCP ports that a signature matches on may reduce false positives.
C.
False positives may be reduced by disabling certain signatures.
D.
Event action filters can be implemented to reduce false positives.
E.
An example of a false positive is the IPS not reacting to a successful denial of service attack.
Explanation:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_definitio ns.html#wp1094231
Understanding Signatures
Attacks or other misuses of network resources can be defined as network intrusions. Sensors that use a signature-based technology can detect network intrusions.
A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use signatures to
detect known attacks and respond with actions that you define. The sensor compares the list of signatures with network activity. When a match is found, the sensor
takes an action, such as logging the event or sending an alert. Sensors let you modify existing signatures and define new ones.
Signature-based intrusion detection can produce false positives because certain normal network activity can be misinterpreted as malicious activity. For example,
some network applications or operating systems may send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt
by an attacker to map out a network segment. You can minimize false positives by tuning your signatures.
To configure a sensor to monitor network traffic for a particular signature, you must enable the signature. By default, the most critical signatures are enabled when
you install the signature update. When an attack is detected that matches an enabled signature, the sensor generates an alert, which is stored in the Event Store of
the sensor. The alerts, as well as other events, may be retrieved from the Event Store by web-based clients. By default the sensor logs all Informational alerts or
higher.
Some signatures have subsignatures, that is, the signature is divided into subcategories. When you configure a subsignature, changes made to the parameters of
one subsignature apply only to that subsignature. For example, if you edit signature 3050 subsignature 1 and change the severity, the severity change applies to
only subsignature 1 and not to 3050 2, 3050 3, and 3050 4.
Cisco IPS 6.1 contains over 10,000 built-in default signatures. You cannot rename or delete signatures from the list of built-in signatures, but you can retire
signatures to remove them from the sensing engine. You can later activate retired signatures; however, this process requires the sensing engines to rebuild their
configuration, which takes time and could delay the processing of traffic. You can tune built-in signatures by adjusting several signature parameters. Built-insignatures that have been modified are called tuned signatures.