Which of the following is not a method of mitigating false positives on a Sourcefire device? (Select the best answer.)
- disabling unnecessary Snort rules
- suppressing event notifications
- reporting false positives to Cisco Technical Support
- configuring an Allow action without inspection
- configuring a Block action
Configuring a Block action is not a method of mitigating false positives on a Sourcefire device. A false positive occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) identifies nonmalicious traffic as malicious. Sourcefire devices are commercial Cisco IDSs based on the opensource IDS known as Snort. The Block action simply blocks traffic and does not perform any type of inspection. Although the Block action might prevent notifications from false positives, it would also drop legitimate traffic.
Configuring an Allow action without inspection is a method of mitigating false positives on a Sourcefire device. A Sourcefire device can match traffic based on a number of conditions, including security zones, networks, virtual LAN (VLAN) tags, source or destination ports, applications, Uniform Resource Locators (URLs), or users. The Sourcefire is also capable of handling traffic matching a given condition by applying an action, or rule, to the traffic. The actions that are supported by a Sourcefire include all of the following:
– Interactive Block
A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs when an Intrusion Policy is applied to this action. Applying an action without an Intrusion Policy performs the given action when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an Allow action without an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic from generating a false positive. Conversely, you might apply an Allow action with an Intrusion Policy to permit all but malicious traffic that matches a given condition.
Disabling unnecessary Snort rules is a method of mitigating false positives on a Sourcefire device. Unnecessary rules include rules that are designed to prevent the exploitation of vulnerabilities that have been fixed, rendering the rule obsolete. Disabling such rules prevents them from generating alerts based on matching traffic.
Reporting false positives to Cisco Technical Support is a method of mitigating false positives on a
Sourcefire device. Default Sourcefire Snort rules that trigger notifications might need to be modified by Cisco’s Vulnerability Research Team (VRT) if the rule is causing legitimate traffic to be dropped.
Suppressing event notifications by using the Sourcefire Suppression feature is a method of mitigating false positives on a Sourcefire device. The Suppression feature will prevent the Sourcefire device from sending event notifications. However, the Suppression feature does not prevent the Sourcefire from processing traffic. Therefore, the generation of false positives might still be a drain on device resources. Also, legitimate traffic could be silently dropped.