|
IDS
mailing list archives
RE: Network hardware IPS
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 10 Oct 2003 13:13:21 -0500
On Fri, 2003-10-10 at 12:56, Dave Killion wrote:
Knowing a particular HTTP attack detection signature, I can always invent a
URL that I claim is valid, and then therefore will trigger a false positive.
With that in mind, I have to go with best guess - the majority of the time,
if I see cmd.exe in a URL, is it malicious? Most likely, yes.
But if doesn't have to be. That's why we shoudl strive to reduce false
positives. Perhaps a better signature (for started CMD.EXE? instead of
jsut CMD.EXE) or some sort of context within the request or even session
would be a better solution that to accept ... uhmm... collateral damage
by affecting some users with a weak sig.
My whole point in this discussion has been the fact that for a given attack,
it is possible to increase accuracy without reducing the detection rate
through accuracy and context. That's really all there is to it.
heh...(I guess I should read emails in toto before replying...)
I agree that context can increase accuracy, but in my opinion it should
be a tool to reduce the detection rate (assuming we're reducing false
positives). Perhaps you need to define which detection rate you mean.
Alerts/detection that the sensor picks up, or alerts/detection that are
passed on to the administrator.
Regards,
Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
 By Date 
By Thread
Current thread:
- RE: Network hardware IPS, (continued)
| 
Intro
