Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: Announcement: Alert Verification for Snort
From: Christopher Kruegel <chris () cs ucsb edu>
Date: Thu, 23 Oct 2003 16:03:20 -0700
In case 2 the "nontextual" isn't a false positive but I think that most people are calling it an FP these days. I *personally* think that's a misconception. What we have in that case is a *real attack* that your IDS is detecting exactly as it was asked to. Just because it doesn't have the additional information about the context or relevance of the event isn't a problem with the IDS, it's a side effect of the way that NIDS have been built for the past 10 years.
In the not too distant past I would have agreed with this - but I think as IDS implementations grew, the way people describe FPs has changed. I think today's IDS *needs* to know "the additional information about the context and relevance" - because the event you are referring to is what I'll call an "effective FP". Effective because any time I spend trying to track down an IIS attack on an apache box is wasted effort. I completely understand your point Marty, because an attack did occur, and the IDS did log it. However, if it is going to log it, then I want it to tell me that the severity of the attack is lessened because it didn't succeed. Even better, I want to see the 404 or 403 error, so I can show my boss why I didn't even bother to look into it.
From a theoretical point of view, I think that Marty is right and his classification is correct. In fact, we had a discussion about whether 'alert verification' was the correct term to use. We then concluded that most people don't care why they spent time looking at an alert that doesn't matter to them and that they refer to such alerts in general as false positives. That's why we used the terminology that we did. 

christopher


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. 
---------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]