RE: Intrusion Detection v7r1 settings

For websphere we used IP address and ignored it
For PCs running Client Access it is something we live with until we find some other option
Which may be not relying on the IBM canned email alerts and scanning the logs and developing our own improved filtering capability.

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of JWGrant@xxxxxxxxxxxxxxx
Sent: Thursday, March 19, 2015 2:01 PM
To: Midrange Systems Technical Discussion
Subject: Re: Intrusion Detection v7r1 settings

Same issue here. Many products generate false positives. I have scoured the internet and IBM resources for info on how to tone down the false positives but have not yet found a solution.

Jim


Jim W Grant
Senior VP, Chief Information Officer
Web: www.pdpgroupinc.com




From: Jim Franz <franz9000@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 03/19/2015 01:55 PM
Subject: Re: Intrusion Detection v7r1 settings
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



so how does one determine a real Ack Storm vs a product "feature"?
If I exclude the product (by port) then a real issue can be missed.
Jim

On Thu, Mar 19, 2015 at 1:47 PM, Mike Cunningham <mike.cunningham@xxxxxxx>
wrote:

I found the same thing. Websphere app server appears to create what

looks

like an intrusion as does Client Access devices set to auto-reconnect

and

you shut down qinter. Also some remote printers when a report gets
stuck

at

the printer as the printer sends back messages

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jim Franz
Sent: Thursday, March 19, 2015 1:44 PM
To: Midrange Systems Technical Discussion
Subject: Intrusion Detection v7r1 settings

We have turned on the default IDS settings, and given the reports,
wondering if some of the normal IBM products are the cause of some

reports

and how others are working with this.
Can (and maybe prefer) to discuss offline.
Jim
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.