IDS mailing list archives
RE: False Positives with IntruVert
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Tue, 15 Apr 2003 15:23:15 -0700
Samuel makes a good point, though I think there's another dimension that needs to be caught- What differentiates a false positive from something that simply has very low value? For instance, Snort has (had? Brian Caswell's been cleaning the rules a lot recently) a rule that looks just for URLs that start with HEAD instead of GET. This is done because it is one of the techniques that Whisker uses to avoid being seen. The result if you turn this on is a lot of false positives (events that contain the string but aren't important) but also the potential to actually catch scans that are novel in every other way. The problem is that the value of the alert by itself is very very low but not zero. So, how do you score this? toby
-----Original Message----- From: Michael Rash [mailto:mbr () cipherdyne com] Sent: Monday, April 14, 2003 9:02 PM To: Cure, Samuel J Cc: 'focus-ids () securityfocus com' Subject: Re: False Positives with IntruVert On Mar 28, 2003, Cure, Samuel J wrote:While it seems that many IDS/IPS reviewers rank and measurefinding attackshigh, it would seem equally if not, more important to rankfalse positiveshigh especially in Prevention mode. Is there any reviewersthat havecompared the false positives and false alarms of all theIDS/IPS products?Has anyone here compared false positives of Introvert, Snort, Cisco, RealSecure, etc?You might be interested in the paper "The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection" by Stefan Axelsson: http://citeseer.nj.nec.com/cache/papers/cs/13832/http:zSzzSzww
w.ce.chalmers.sezSzstaffzSzsaxzSzdifficulty.pdf/axelsson99baserate.pdf It is heavy on the math side of things, but this is good since it begins to put questions about false positives on a rigorous footing. (The paper does not answer your specific question above, but it does provide an interesting perspective on false positives in general). --Mike Michael Rash http://www.cipherdyne.com Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F ------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids ------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- RE: False Positives with IntruVert Bill Boyle (Apr 11)
- <Possible follow-ups>
- Re: False Positives with IntruVert Michael Rash (Apr 15)
- RE: False Positives with IntruVert Kohlenberg, Toby (Apr 15)