Wednesday, December 27, 2006

Can legitimate traffic be blocked by my IPS device?

Yes it is possible. The following are scenarios that can cause your IPS device to report an attack that isn’t a real attack, also known as a false positive.
- Your IPS device is not setup to see traffic traversing in both directions. IPS needs to see bi-directional traffic to accurately report attacks. This is important, if your IPS vendor does not do this, your are unquestionably vulnerable to IPS evasion.
- Valid traffic actually contains the same bit sequence as an attack packet. Signatures writers do their best to ensure that this doesn’t happen, but it’s impossible to completely eliminate this problem. Be careful, if you have a vendor who claims they don’t have false positives, they have misunderstood their product.

The best way to ensure that you have the fewest false positives, is to include a device which correlates all of your security logs and analyzes false positive for you. Along with correlation it should be able to take a mitigation action if it determines that an attack is relevant. Take a look at


Chris Durkin said...

Hi Greg, I didnt realize your were an active blogger.

I write the MARS blog over at

I`d like to discuss a couple of bits with you, if you can get in touch.

Chris Durkin

Greg Abelar said...

Chris - absolutely - let's talk. I'm on vacation until the 15th. I'll get in
contact with you when I get back. Thanks for your coverage on the book!!!


With Great Power Comes Great Responsibility....raise the bar

With Great Power Comes Great Responsibility....raise the bar
Get Secure