IDS mailing list archives

Re: False Positives

From: Tobias Klein <tobias.klein () ewetel de>
Date: Thu, 05 Jun 2003 11:34:03 +0200

here are a frew tools to test your ids ruleset

http://www.packetstormsecurity.nl/distributed/stick.tgz
http://securityfocus.com/data/tools/stick.tgz
 
http://www.whitehats.com/cgi/tools/BrowseTree?field=Category&separator=:&recurse=1&order=&value=Assessment%3aIDS%20Testing%20and%20Evasion
ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/snot/
http://www.robertgraham.com/tmp/sidestep.html
http://adam.kaist.ac.kr/~bugsy/mendax.html
http://www.hsc.fr/ressources/outils/idswakeup/
http://packetstorm.widexs.nl/UNIX/IDS/nidsbench/nidsbench.html

think that will helps you

-- newroot


At 16:13 03.06.2003 +0000, Andi Hess wrote:

Hi there,

I am new in the field of NIDS and I wonder if the
problem of false positives is really this huge as
mentioned in several publications.

I am considering tools like PCP, Stick (I have never
seen them, but read about them) which can be used to
generate huge amount of packets and each on triggers an
alarm on the victim IDS (a false positive, as the
packets are not a real attack).
As it has been impossible for me to find any of the
above mentioned packet generators - I wonder how the
packets look like?
Is it possible to differentiate 'artifically' generated
false positives from natural ones?

Any hint is welcome!

Thank you.

A.




-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities

- including intrusion identification, relevancy, direction, impact andanalysis

- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges,and Requirements" at:

http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities- including intrusion identification, relevancy, direction, impact and analysis- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:http://www.securityfocus.com/IntruVert-focus-ids2

-------------------------------------------------------------------------------

Current thread:

False Positives Andi Hess (Jun 03)
- RE: False Positives Harshul Nayak (ealcatraz) (Jun 04)
- Re: False Positives Tobias Klein (Jun 05)
- <Possible follow-ups>
- Re: False Positives MARTIN M. Bénoni (Jun 04)
- RE: False Positives Steven Richards (Jun 04)
  - RE: False Positives Fergus Brooks (Jun 04)
- RE: False Positives Dudley, Brian (ISS Chicago) (Jun 05)