IDS mailing list archives
IDS Signature Confidence
From: "Raffael Marty" <raffy () raffy ch>
Date: Mon, 20 Jun 2005 18:59:36 -0400 (EDT)
I was thinking about this following problem: Assume you have an NIDS signature looking for DoS attacks. In most of the cases I don't trust the NIDS reporting on a DoS attack. A lot of the DoS sigs just look at some bytes on the wire and tell me that there is a DoS attack going on. However, I need some more evidence that my services are indeed not accessible anymore. Some signatures on the other hand are very specific and you can trust them with whatever they report. Now this brings me to my question: How do you guys decide how much confidence you put in a certain IDS signature? And I am not talking about prioritizing the event. I am talking about assigning a "success" or "possible success" to signatures. -raffy -- Raffael Marty, GCIA, CISSP raffael.marty () arcsight com Senior Security Engineer Content Team @ ArcSight Inc. 5 Results Way Cupertino, CA 95014 (408) 864-2662 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS Signature Confidence Raffael Marty (Jun 20)
- Re: IDS Signature Confidence David W. Goodrum (Jun 21)
- <Possible follow-ups>
- Re: FW: IDS Signature Confidence Vipul Kumra (Jun 21)
- Re: Re: FW: IDS Signature Confidence bbhikkaji (Jun 28)