Re: Announcement: Alert Verification for Snort

[Robin Sommer <robin () icir org>]

On Thu, Oct 23, 2003 at 06:53 -0400, Sam f. Stover wrote:

> In the not too distant past I would have agreed with this - but I think 
> as IDS implementations grew, the way people describe FPs has changed.  
> I think today's IDS *needs* to know "the additional information about 
> the context and relevance" - because the event you are referring to is 
> what I'll call an "effective FP". 

There is a paper upcoming at ACM's CCS next week in which we use the
term "contextual signatures" to describe the enhancement of
Snort-like signatures by incorporating additional context. We
implemented this for IDS Bro, making use of all its already existing
mechanisms to provide context (which includes a full scripting
language).

> Even better, I want to see the 404 or 403 error, so I 
> can show my boss why I didn't even bother to look into it.

Actually, this one of our examples: For a certain attack, we want
the IDS to alert only if the server has not answered with a 4xx. 

The paper is available at http://www.net.in.tum.de/~robin/papers/ccs03.ps

Robin

-- 
Robin Sommer * Room        01.08.055 * www.net.in.tum.de
TU Munich    * Phone (089) 289-18006 *  sommer () in tum de

Attachment: _bin
Description: