IDS mailing list archives
Re: need your help,thanks
From: Jose Maria Lopez <jkerouac () bgsec com>
Date: 29 Aug 2004 18:57:35 +0200
El mié, 25 de 08 de 2004 a las 04:42, Charles Heselton escribió:
On Sun, 22 Aug 2004 13:37:22 +0800, Lily <xiaoche111 () hotmail com> wrote:hi,all I am a youngling in IDS.I read some papers in network this days and the more I read the little I understand.Because there are so many researching area in IDS and I dont know what I'll do.There are some questions below:Keep reading. ;)1.If the false alarm rates have being resloved now?I think its a essential premise of the area of "response mechanism of IDS" that I want to research,do you think so?False alarms depend upon the accuracy of your signatures, and the peculiarity of your traffic. If the traffic in your environment is out of RFC standard, but is considered "normal" for your environment, it could produce a lot of false positives, especially with an anomaly based IDS. I think that this is something that IDS will always have to deal with. You can never have *perfect* detection.
Snort used to have a patch that was an anormality detector that could learn from the "normal" traffic in your site and make alerts when "strange" traffic was detected, but I think it didn't work very well because it seems that they have quitted the development. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac () bgsec com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
Current thread:
- need your help,thanks Lily (Aug 22)
- Re: need your help,thanks Charles Heselton (Aug 29)
- Re: need your help,thanks Jose Maria Lopez (Aug 30)
- <Possible follow-ups>
- RE: need your help,thanks Hayden Searle (Aug 30)
- Re: need your help,thanks Charles Heselton (Aug 29)