IDS mailing list archives
Re: False Positives with IntruVert
From: Michael Rash <mbr () cipherdyne com>
Date: Tue, 15 Apr 2003 00:02:14 -0400
On Mar 28, 2003, Cure, Samuel J wrote:
While it seems that many IDS/IPS reviewers rank and measure finding attacks high, it would seem equally if not, more important to rank false positives high especially in Prevention mode. Is there any reviewers that have compared the false positives and false alarms of all the IDS/IPS products? Has anyone here compared false positives of Introvert, Snort, Cisco, RealSecure, etc?
You might be interested in the paper "The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection" by Stefan Axelsson: http://citeseer.nj.nec.com/cache/papers/cs/13832/http:zSzzSzwww.ce.chalmers.sezSzstaffzSzsaxzSzdifficulty.pdf/axelsson99baserate.pdf It is heavy on the math side of things, but this is good since it begins to put questions about false positives on a rigorous footing. (The paper does not answer your specific question above, but it does provide an interesting perspective on false positives in general). --Mike Michael Rash http://www.cipherdyne.com Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F ------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- RE: False Positives with IntruVert Bill Boyle (Apr 11)
- <Possible follow-ups>
- Re: False Positives with IntruVert Michael Rash (Apr 15)
- RE: False Positives with IntruVert Kohlenberg, Toby (Apr 15)