IDS mailing list archives

Re: False positives, negatives and don't cares

From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 12 Aug 2003 17:35:55 -0400

I'm thinking of calling them "noncontextuals", what does everyone think
about that word?

Weeding down the analytics set to the minimum can be a side effect of
network discovery processes, you just move the context information down into
the sensor itself.

The nCircle model is great for detecting things that you know about but
tails off when you get outside those things.  There's not anything wrong
with that, it just that some of the same ideas can be applied more broadly
to solve a greater number of problems in my opinion.

     -Marty

On 8/11/03 11:16 AM, "Bennett Todd" <bet () rahul net> wrote:

A very thought-provoking note (no surprise there).

I think it's fair to distinguish genuine false-positives (result of
flawed analysis/sigs/whatever triggering on truly legit traffic)
from irrelevent-to-local-context attacks.

And I agree that these irrelevent-to-local-context attacks can
produce useful intelligence.

But to my tastes, a more exciting way to approach things is to
programmatically weed the sig set down, resulting in small enough
analytic sets to allow very fast processing.

[ Disclaimer re following: I've looked at the product, but not
actually used it. ]

I think nCircle has a pretty sexy product in that vein; they've
worked on non-disruptive automated vuln scanning, and coupled that
to an IDS engine that's used to watch for attempts to exploit
apparently-vulnerable servers. So on a sufficiently tightly-tuned
plant, the IDS engine would normally not be active; it'd only begin
looking for a small number of sigs when a config error opens a vuln,
and would only remain active until admins respond to the alerts and
plug the holes.

-Bennett


-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

False positives, negatives and don't cares Martin Roesch (Aug 11)
- Re: False positives, negatives and don't cares Bennett Todd (Aug 11)
  - Re: False positives, negatives and don't cares Martin Roesch (Aug 12)
- Re: False positives, negatives and don't cares Paul Schmehl (Aug 12)
- Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Arian J. Evans (Aug 12)
  - Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Mike Coliton (Aug 12)
  - Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Martin Roesch (Aug 12)
    - Re: Gartner is Dead, nCircle, Fusion,asset-correlation--was-->False positives, negatives and don't cares dcdave (Aug 13)
  - Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares Anton A. Chuvakin (Aug 21)
    - Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation... Arian J. Evans (Aug 25)
    - Re: Towards a sound IDS Value Methodology--was-->Gartner is Dead, nCircle, Fusion, asset-correlation... Anton Chuvakin (Aug 25)