Volker Birk wrote in news: email@example.com:
yes. that is an option.
i would still be interested to learn how does one confirm this type of false positive for my own education.
there are threshhold settings i can adjust, but they do don't seem to be very descriptive or intuitive. and nowhere in the settings or in the skimpy manual does it mention anything about the alerts or how to manage them.
That does not sound like an IDS documentation, one wants to have. "Documentation is like sex - if it's good, it's very, very good, if it's bad, it's better than nothin'."
Anyway, in your OP you're telling us:
| We are getting pounded with RIPv1 alerts every night and they stop around | 8am or 9am. Something tells me that this might be a false positive but how | to I verify that?
Well, do you use RIP in your network? If yes, don't use version 1 any more.
If not, have a sniffer in the network, where the IDS is finding those RIP datagrams. Perhaps Ethereal will do a good job here. RIP is a routing protocol, and version 1 is not used any more by most of the people, because it lacks security completely, see RFC 1058 and 2453 - or use OSPF, see RFC 2328.