0 Replies Latest reply on May 23, 2011 1:18 PM by RRMX

    Reviewing/Managing IPS Events - False or Not?

    RRMX

      HIP 7.x / EPO 4.5

       

      I'm sure this topic of discussion has come up many times before, though I haven't really seen a whole lot of in-depth discussion about it.

       

      I manage HIP on more than 20,000 endpoints (all workstations, no servers) and we use IPS turned on for blocking on High signatures only. We routinely trigger IPS events on a daily basis, usually 50-100 per day. We have over 100 remote offices and I don't have a lot of access to these machines (either remote or local). My trouble is that I cannot really prove whether or not any of these IPS signature hits are actually malicious or not.

       

      My management has been inquiring as to whether or not the IPS is useful for our enviornment. I'm sure it's blocking some malicious stuff, but I don't really know. They want to know if we had X number of threats to our systems blocked in X amount of time. I can show the IPS events that we have, but I know that a lot of them are false positives.

       

      Does anyone have a methodology they use for determining whether a particular IPS event is malicious or a false positive? Please see the attached screenshots... this is the only type of information I have to go on to research these. The problem is, after the fact, even if I contacted the user they wouldn't have any idea what they were doing at that particular time when the event occurred, and there isn't going to be any other evidence of the event on the actual endpoint.

       

      Screenshot 1: Generic Buffer Overflow

      1.JPG

      Screenshot 2: Internet Explorer HTA Execution Vulnerability

      2.JPG

      Screenshot 3: Vulnerability in Windows Media Player ASX PlayList File

      3.JPG

      Screenshot 4: Sticky Keys File Replacement Backdoor

      4.JPG

      Screenshot 5: Internet Explorer Buffer Overflow

      5.JPG