Eliminating False Positives
Services that Generate Events
Some types of services are characterized by a high quantity of traffic that can be misidentified as events. These are examples of services and protocols that can potentially generate events:
-
Software that does a routine scan of the network to make sure that everything runs correctly. Configuration of SmartEvent to exclude this source from a scan event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. eliminates a source of false positive events.
-
High connection rate on a web server. Set SmartEvent to allow a higher connection rate for each minute on a busy web server, or to exclude this source from a scan event.
Common Events by Service
The information in this table provides a list of server types where high activity is frequently used. To change the Event Policy Set of rules that define the behavior of SmartEvent., adjust event thresholds and add Exclusions for servers and services . You can decrease more the quantity of false positives detected.
Common events by service
Server Type |
Category |
Event Name |
Source |
Dest |
Service |
Reason |
---|---|---|---|---|---|---|
SNMP |
Scans |
IP sweep from internal network |
Any |
Any |
SNMP-read |
Hosts that query other hosts |
DNS Servers |
Scans |
IP sweep from internal network |
DNS servers |
- |
DNS |
Inter-DNS servers updates |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
DNS servers |
DNS |
DNS requests and inter-DNS servers updates |
|
Anomalies |
High connection rate from internal network |
Any |
Any |
DNS |
DNS requests and inter-DNS servers updates |
|
Anomalies |
High connection rate from internal network on service |
Any |
Any |
DNS |
DNS requests and inter-DNS servers updates |
|
Anomalies |
Abnormal activity on service |
Any |
Any |
DNS |
DNS requests and inter-DNS servers updates |
NIS Servers |
Scans |
Port scan from internal network |
NIS servers |
Any |
- |
Multiple NIS queries |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
NIS servers |
NIS |
NIS queries |
|
Anomalies |
High connection rate from internal network |
Any |
Any |
NIS |
NIS queries |
|
Anomalies |
High connection rate from internal network on service |
Any |
Any |
NIS |
NIS queries |
|
Anomalies |
Abnormal activity on service |
Any |
Any |
NIS |
NIS queries |
LDAP Servers |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
LDAP servers |
LDAP |
LDAP requests |
|
Anomalies |
High connection rate from internal network |
Any |
LDAP servers |
LDAP |
LDAP requests |
|
Anomalies |
High connection rate from internal network on service |
Any |
LDAP servers |
LDAP |
LDAP requests |
|
Anomalies |
Abnormal activity on service |
Any |
LDAP servers |
LDAP |
LDAP requests |
HTTP Proxy Servers - Hosts To Proxy Server |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
Proxy servers |
HTTP:8080 |
Hosts connections to Proxy servers |
|
Anomalies |
High connection rate from internal network |
Any |
Proxy servers |
HTTP:8080 |
Hosts connections to Proxy servers |
|
Anomalies |
High connection rate from internal hosts on service |
Any |
Proxy servers |
HTTP:8080 |
Hosts connections to Proxy servers |
|
Anomalies |
Abnormal activity on service |
Any |
Proxy servers |
HTTP:8080 |
Hosts connections to Proxy servers |
HTTP Proxy Servers - Out to the Web |
Scans |
IP sweep from internal network |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
|
Anomalies |
High connection rate from internal network |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
|
|
High connection rate from internal hosts on service |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
|
Anomalies |
Abnormal activity on service |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
UFP Servers |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
UFP servers |
Any/UFP by vendor |
Firewall connections to UFP servers |
|
Anomalies |
High connection rate from internal network |
Any |
UFP servers |
Any/UFP by vendor |
Firewall connections to UFP servers |
|
Anomalies |
High connection rate from internal hosts on service |
Any |
UFP servers |
Any/UFP by vendor |
Firewall connections to UFP servers |
|
Anomalies |
Abnormal activity on service |
Any |
UFP servers |
Any/UFP by vendor |
Firewall connections to UFP servers |
CVP Servers Request |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
CVP servers |
Any/CVP by vendor |
Firewall connections to CVP servers |
|
Anomalies |
High connection rate from internal network |
Any |
CVP servers |
Any/CVP by vendor |
Firewall connections to CVP servers |
|
Anomalies |
High connection rate from internal hosts on service |
Any |
CVP servers |
Any/CVP by vendor |
Firewall connections to CVP servers |
|
Anomalies |
Abnormal activity on service |
Any |
CVP servers |
Any/CVP by vendor |
Firewall connections to CVP servers |
CVP Servers Replies |
Scans |
Port scans from internal network |
CVP servers |
Any |
- |
Multiple CVP replies to same GW |
|
Scans |
IP sweep from internal network |
CVP servers |
- |
CVP |
CVP replies to multiple GWs |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
CVP servers |
Any |
Any/CVP by vendor |
CVP replies |
|
Anomalies |
High connection rate from internal network |
CVP servers |
Any |
Any/CVP by vendor |
CVP replies |
|
Anomalies |
High connection rate from internal hosts on service |
CVP servers |
Any |
Any/CVP by vendor |
CVP replies |
|
Anomalies |
Abnormal activity on service |
CVP servers |
Any |
Any/CVP by vendor |
CVP replies |
UA Server Request |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
UA servers |
uas-port (TCP:19191 TCP:19194) |
Connections to UA servers |
|
Anomalies |
High connection rate from internal network |
Any |
UA servers |
(TCP:19191 TCP:19194) |
Connections to UA servers |
|
Anomalies |
High connection rate from internal hosts on service |
Any |
UA servers |
uas-port (TCP:19191 TCP:19194) |
Connections to UA servers |
|
Anomalies |
Abnormal activity on service |
Any |
UA servers |
uas-port (TCP:19191 TCP:19194) |
Connections to UA servers |
UA Servers Replies |
Scans |
Port scans from internal network |
UA servers |
Any |
- |
Multiple UA replies to the same computer |
|
Scans |
IP sweep from internal network |
UA servers |
Any |
uas-port (TCP:19191 TCP:19194) |
Multiple UA replies to multiple computers |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
UA servers |
Any |
uas-port (TCP:19191 TCP:19194) |
UA replies |
|
Anomalies |
High connection rate from internal network |
UA servers |
Any |
uas-port (TCP:19191 TCP:19194) |
UA replies |
|
Anomalies |
High connection rate from internal hosts on service |
UA servers |
Any |
uas-port (TCP:19191 TCP:19194) |
UA replies |
|
Anomalies |
Abnormal activity on service |
UA servers |
Any |
uas-port (TCP:19191TCP:19194) |
UA replies |
SMTP Servers |
Scans |
IP sweep from internal network |
SMTP servers |
- |
SMTP |
SMTP servers connections out to various SMTP servers |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
SMTP servers |
Any |
SMTP |
SMTP servers connections out to various SMTP servers |
|
Anomalies |
High connection rate from internal network |
SMTP servers |
Any |
SMTP |
SMTP servers connections out to various SMTP servers |
|
Anomalies |
High connection rate from internal hosts on service |
SMTP servers |
Any |
SMTP |
SMTP servers connections out to various SMTP servers |
|
Anomalies |
Abnormal activity on service |
SMTP servers |
Any |
SMTP |
SMTP servers connections out to various SMTP servers |
Scans |
IP sweep from internal network |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
|
|
Denial of Service (DoS) |
High connection rate on internal host on service |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
|
Anomalies |
High connection rate from internal network |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
|
Anomalies |
High connection rate from internal hosts on service |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
|
Anomalies |
Abnormal activity on service |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |