Question & Answer
Question
What should be done when you suspect a false positive on an IBM host or network based IPS?
Answer
When IBM X-Force creates or modifies a signature, this signature goes through extensive false positive testing. However, it is difficult for our developers to reproduce all possible network configurations. Occasionally, new false positives are discovered after the release of a signature. Often they are found by you, our customers!
We are dedicated to reducing false positives in our products. If you are experiencing false positives for a particular signature in your environment, you can report the false positive so that we can make our products better for you.
To submit a false positive report, contact IBM Security Systems Customer Support to open a PMR with, at a minimum, the following information.
We are dedicated to reducing false positives in our products. If you are experiencing false positives for a particular signature in your environment, you can report the false positive so that we can make our products better for you.
To submit a false positive report, contact IBM Security Systems Customer Support to open a PMR with, at a minimum, the following information.
- An export of the false positive event(s) from the SiteProtector Analysis view. Make sure that you are viewing the events in the Event Analysis - Detail view when creating the export so that your export contains the specific details of the traffic that caused the signature to fire.
- A brief summary of why you think this is a false positive.
- The update version information for the sensor on which the alert was triggered.
- If the false positive is being triggered by a specific software product or network configuration in your environment, a description of the software (with version information) or network configuration
- A packet capture showing the traffic that caused the false positive. A packet capture is a file that contains a frame by frame record of network traffic over a specific period of time when the event was triggering.
- Explicit instructions on how to reproduce the false positive.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSETH9","label":"Proventia Network Multi-Function Security"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSETBF","label":"IBM Security SiteProtector System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Connected Equipment","Platform":[{"code":"PF033","label":"Windows"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Historical Number
2451
Was this topic helpful?
Document Information
Modified date:
21 March 2022
UID
swg21434828