IDS mailing list archives
Re: False positives, negatives and don't cares
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 12 Aug 2003 17:35:55 -0400
I'm thinking of calling them "noncontextuals", what does everyone think about that word? Weeding down the analytics set to the minimum can be a side effect of network discovery processes, you just move the context information down into the sensor itself. The nCircle model is great for detecting things that you know about but tails off when you get outside those things. There's not anything wrong with that, it just that some of the same ideas can be applied more broadly to solve a greater number of problems in my opinion. -Marty On 8/11/03 11:16 AM, "Bennett Todd" <bet () rahul net> wrote:
A very thought-provoking note (no surprise there). I think it's fair to distinguish genuine false-positives (result of flawed analysis/sigs/whatever triggering on truly legit traffic) from irrelevent-to-local-context attacks. And I agree that these irrelevent-to-local-context attacks can produce useful intelligence. But to my tastes, a more exciting way to approach things is to programmatically weed the sig set down, resulting in small enough analytic sets to allow very fast processing. [ Disclaimer re following: I've looked at the product, but not actually used it. ] I think nCircle has a pretty sexy product in that vein; they've worked on non-disruptive automated vuln scanning, and coupled that to an IDS engine that's used to watch for attempts to exploit apparently-vulnerable servers. So on a sufficiently tightly-tuned plant, the IDS engine would normally not be active; it'd only begin looking for a small number of sigs when a config error opens a vuln, and would only remain active until admins respond to the alerts and plug the holes. -Bennett
-- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Enterprise-class Intrusion detection built on Snort roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- False positives, negatives and don't cares Martin Roesch (Aug 11)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)
- Re: False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: False positives, negatives and don't cares Paul Schmehl (Aug 12)
- Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Arian J. Evans (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Mike Coliton (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Anton A. Chuvakin (Aug 21)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)