Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Announcement: Alert Verification for Snort

Re: Announcement: Alert Verification for Snort

From: Martin Roesch <roesch_at_sourcefire.com>
Date: Thu, 23 Oct 2003 21:51:54 -0400

Hi Raistlin,

On Oct 23, 2003, at 6:35 AM, Raistlin wrote:

>> 1) Detect, Attack Present, Vulnerable: True Positive
>> 2) Detect, Attack Present, Not Vulnerable: Nontextual (i.e. detect
>> requiring contextual data to resolve)
>
> Actually, I think that vulnerable or non-vulnerable is not tied to the
> true/false positive concept... so I'd say:
>
> Detect, Attack Present, Signature Present, [vuln|not]: True Positive

The "signature" (detection method) being present was implicit since
there was a detection. :)

> (thinking of a signature based system, reword it for your favorite
> system)
>
>> 4) No Detect, Attack Present, Vulnerable: False Negative
>> 5) No Detect, Attack Present, Not Vulnerable: ?
>
> Here it is a bit more complex, but I'd say
> No Detect, Attack Present, Signature Present, [Vuln|not vuln]: False
> Negative

I'm leaning that way as well, but I think I'd classify it as somewhere
between a False Negative an a nontextual. Some people might call it a
fortunate happenstance since it reduces the data load from the IDS even
if it is by mistake. :)

> No Detect, Attack Present, Signature Present, Not Vulnerable: a lucky
> false
> negative :)

Exactly!

>> 6) No Detect, No Attack, [vuln|not vuln]: Don't care (true negative?)
>
> True negative is the correct definition, but it encloses also:
>
> No Detect, [Attack|No Attack], No Signature, [vuln|not vuln]

Yes.

>> In case 2 the "nontextual" isn't a false positive but I think that
>> most
>> people are calling it an FP these days. I *personally* think that's a
>> misconception.
>
> I agree wholeheartedly.

      -Marty 

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------
Received on Oct 24 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos