On Fri, 2003-10-10 at 12:56, Dave Killion wrote:
> Knowing a particular HTTP attack detection signature, I can always invent a
> URL that I claim is valid, and then therefore will trigger a false positive.
> With that in mind, I have to go with best guess - the majority of the time,
> if I see cmd.exe in a URL, is it malicious? Most likely, yes.
But if doesn't have to be. That's why we shoudl strive to reduce false
positives. Perhaps a better signature (for started CMD.EXE? instead of
jsut CMD.EXE) or some sort of context within the request or even session
would be a better solution that to accept ... uhmm... collateral damage
by affecting some users with a weak sig.
> My whole point in this discussion has been the fact that for a given attack,
> it is possible to increase accuracy without reducing the detection rate
> through accuracy and context. That's really all there is to it.
heh...(I guess I should read emails in toto before replying...)
I agree that context can increase accuracy, but in my opinion it should
be a tool to reduce the detection rate (assuming we're reducing false
positives). Perhaps you need to define which detection rate you mean.
Alerts/detection that the sensor picks up, or alerts/detection that are
passed on to the administrator.
Regards,
Frank
Received on Oct 15 2003
Intro
