On Thursday, October 23, 2003, at 07:03 PM, Christopher Kruegel wrote:
> From a theoretical point of view, I think that Marty is right and his
> classification is correct.
I probably agree with you both "theoretically". However, I was talking
about what actually happens to real users. I used to work for an IDS
vendor, and I know how much of a glass bubble it can be. Out in the
"real world" however, theory is vastly different than practice.
> In fact, we had a discussion about whether 'alert verification' was
> the correct term to use. We then concluded that most people don't care
> why they spent time looking at an alert that doesn't matter to them
> and that they refer to such alerts in general as false positives.
This is *not* my experience. I personally get extremely annoyed if
it's my fault (or the fault of the tool I chose to employ) that leads
me on a wild goose chase. I want my IDS to learn with me, not
constantly provide me with the same level of annoyance. It needs to
evolve.
> That's why we used the terminology that we did.
That's cool. I know my opinion doesn't really matter in the end. I
just thought I'd contribute my experiences. ;-)
____
S.f.Stover
sstover_at_iwc.sytexinc.com
- application/pgp-signature attachment: PGP_sig
Received on Oct 24 2003
Intro
