Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Announcement: Alert Verification for Snort

Re: Announcement: Alert Verification for Snort

From: Sam f. Stover <sstover_at_atrc.sytexinc.com>
Date: Thu, 23 Oct 2003 06:53:41 -0400

On Wednesday, October 22, 2003, at 11:22 PM, Martin Roesch wrote:

> In case 2 the "nontextual" isn't a false positive but I think that
> most people are calling it an FP these days. I *personally* think
> that's a misconception. What we have in that case is a *real attack*
> that your IDS is detecting exactly as it was asked to. Just because
> it doesn't have the additional information about the context or
> relevance of the event isn't a problem with the IDS, it's a side
> effect of the way that NIDS have been built for the past 10 years.

In the not too distant past I would have agreed with this - but I think
as IDS implementations grew, the way people describe FPs has changed.
I think today's IDS *needs* to know "the additional information about
the context and relevance" - because the event you are referring to is
what I'll call an "effective FP". Effective because any time I spend
trying to track down an IIS attack on an apache box is wasted effort.
I completely understand your point Marty, because an attack did occur,
and the IDS did log it. However, if it is going to log it, then I want
it to tell me that the severity of the attack is lessened because it
didn't succeed. Even better, I want to see the 404 or 403 error, so I
can show my boss why I didn't even bother to look into it.

I want my IDS to differentiate between an IIS attack on my apache box
and an IIS attack on an IIS box. I don't really care how it does it.
The two main methods, as I see it, are passive fingerprinting or
integration with another tool like a vuln scanner. Both have their
drawbacks w/ relation to different environments - which could probably
fuel a complete thread.

The IDS landscape has changed. Ten years ago, the type of event
mentioned was probably not considered a FP. But at that time, IDS was
an infant and people weren't dealing with events on the scale of
millions per day like they are today. Current-day NIDS need to evolve
to solve the problems that current-day users are facing. IMHO 10 years
ago, NIDS administrators could afford to be a bit more interested in
all kinds of attacks. IDS was a new and exciting technology. I think
it's lost some of it's glamour since then and people have to use it as
just another tool. And the people I talk to don't have the time nor
resources to run down half of the "real" attacks, much less look into
attacks that will never succeed.

Just my $0.02
____
S.f.Stover
sstover_at_iwc.sytexinc.com

  • application/pgp-signature attachment: PGP_sig
Received on Oct 23 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos