Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Announcement: Alert Verification for Snort

Re: Announcement: Alert Verification for Snort

From: Christopher Kruegel <chris_at_cs.ucsb.edu>
Date: Thu, 23 Oct 2003 16:03:20 -0700

>> In case 2 the "nontextual" isn't a false positive but I think that
>> most people are calling it an FP these days. I *personally* think
>> that's a misconception. What we have in that case is a *real attack*
>> that your IDS is detecting exactly as it was asked to. Just because
>> it doesn't have the additional information about the context or
>> relevance of the event isn't a problem with the IDS, it's a side
>> effect of the way that NIDS have been built for the past 10 years.
>
> In the not too distant past I would have agreed with this - but I
> think as IDS implementations grew, the way people describe FPs has
> changed. I think today's IDS *needs* to know "the additional
> information about the context and relevance" - because the event you
> are referring to is what I'll call an "effective FP". Effective
> because any time I spend trying to track down an IIS attack on an
> apache box is wasted effort. I completely understand your point
> Marty, because an attack did occur, and the IDS did log it. However,
> if it is going to log it, then I want it to tell me that the severity
> of the attack is lessened because it didn't succeed. Even better, I
> want to see the 404 or 403 error, so I can show my boss why I didn't
> even bother to look into it.

 From a theoretical point of view, I think that Marty is right and his
classification is correct. In fact, we had a discussion about whether
'alert verification' was the correct term to use. We then concluded
that most people don't care why they spent time looking at an alert
that doesn't matter to them and that they refer to such alerts in
general as false positives. That's why we used the terminology that we
did.

christopher

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------
Received on Oct 24 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos