IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 23 Oct 2003 21:51:54 -0400
Hi Raistlin, On Oct 23, 2003, at 6:35 AM, Raistlin wrote:
1) Detect, Attack Present, Vulnerable: True Positive 2) Detect, Attack Present, Not Vulnerable: Nontextual (i.e. detect requiring contextual data to resolve)Actually, I think that vulnerable or non-vulnerable is not tied to the true/false positive concept... so I'd say: Detect, Attack Present, Signature Present, [vuln|not]: True Positive
The "signature" (detection method) being present was implicit since there was a detection. :)
(thinking of a signature based system, reword it for your favorite system)4) No Detect, Attack Present, Vulnerable: False Negative 5) No Detect, Attack Present, Not Vulnerable: ?Here it is a bit more complex, but I'd say No Detect, Attack Present, Signature Present, [Vuln|not vuln]: False Negative
I'm leaning that way as well, but I think I'd classify it as somewhere between a False Negative an a nontextual. Some people might call it a fortunate happenstance since it reduces the data load from the IDS even if it is by mistake. :)
No Detect, Attack Present, Signature Present, Not Vulnerable: a lucky falsenegative :)
Exactly!
6) No Detect, No Attack, [vuln|not vuln]: Don't care (true negative?)True negative is the correct definition, but it encloses also: No Detect, [Attack|No Attack], No Signature, [vuln|not vuln]
Yes.
In case 2 the "nontextual" isn't a false positive but I think that mostpeople are calling it an FP these days. I *personally* think that's a misconception.I agree wholeheartedly.
-Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------
Current thread:
- Re: Announcement: Alert Verification for Snort, (continued)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 27)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 23)
- Re: Announcement: Alert Verification for Snort Ron Gula (Oct 23)
- Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
- Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
- Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
- Re: Announcement: Alert Verification for Snort Bill Royds (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)