IDS mailing list archives
Re: Current IDS problems
From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Sat, 22 Oct 2005 11:25:03 -0700 (PDT)
But false positives are induced in by the researchers those have created low quality signatures to bring false positives. The problem I see incase of false positives is limitations in Language Constructs of IDS and Engine support, to digest those signatures. Even if a Vulnerability researcher is able to discover what should be ideal signature to stop blah blah attack, he requires language constructs in engine to provide him the ability to write such signatures. But due to severity of attack he/she really wants to get away by writing the signature in any case. So this ends up in low quality signature at times and hence promoting false positives. I am not saying this happens most of the tims, but sometimes researchers complain for this thing. And providing such facilities for researchers may be sometime require lot of changes in engine which company can't afford to do or sometimes the requirement is not even feasible. So I should say that this problem is in architecture implementation or researchers and not actually in IDS technology as such. Which simply no company can avoid as there is always a human working on that part. But to overcome the problem of false positives. IDS companies are providing Vulnerability Corelation mechanism/Data-Mining Techniques in their products. But this was all about insights and 0boy might be concerned about the IDS implementation. So I would like to list down few of those points out here... 1. Ofcourse False positives, if the IDS is not supporting the things I talked above. 2. log analysis of IDS to see the attack happening on your network. 3. Handling of zero day attack for high severity vulnerabilities. 4. Frequency of signature updates to clients. It should be like product companies are providing signatures to clients, where attack came into picture one month back. 5. Many of the IDS companies are still not much sure that their product is 100% protecting against IDS evasion technique, wherein an attack can be bypassed. But don't worry every company will claim that "They Do". 6. GUI of few products is not that user friendly. 7. Redundancy of Hardware components of IDS, incase its hardware product. Sometime back, I have evaluated few IDS/IPS products to carry out some recomendation project for some company. But I have not seen any product that doesn't provide this capability. You may see some product, coz there are lot of in market. 8. I even found good Support Service from all the companies. When ever I required any help to understand any of the feature from inside they always responded quickly. And the guys giving the support were actually smart enough to understand my words and giving me satisfactory answers, so never had an experience of hiting my head on wall ;-). But Service support is one of the biggest parameter which can take you into big time frustration. To end-up the mail I feel the problems can be categorized into Signatures(Both accuracy and response time), Implementation(Both software and hardware) and Service Support(both in terms of Response time and the smartness of ppl). I hope, I am able to explain the things and you are not hiting your head on wall ;-) -Dhruv --- crazy frog crazy frog <i.m.crazy.frog () gmail com> wrote:
false positives.allthough we need to fine tune it to reduce this stuff. On 10/19/05, zero <zeroboy () arrakis es> wrote:Hi all, I would like to know what are the problemspeople working with IDS sees inthem. I mean, what are the things you hateabout IDS, think simply you feelare plain wrong or that they should be anotherway to it.Al comments are greatly appreciated :) Thxs in advance.
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
-- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :)
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Current IDS problems zero (Oct 18)
- Re: Current IDS problems Mark Ryan del Moral Talabis (Oct 19)
- Re: Current IDS problems crazy frog crazy frog (Oct 21)
- Re: Current IDS problems Dhruv Soi (Oct 24)
- Re: Current IDS problems Terry Vernon (Oct 24)
- Re: Current IDS problems Nakul Aggarwal (Oct 26)
- RE: Current IDS problems Vipul Kumra (Oct 27)
- <Possible follow-ups>
- Re: Current IDS problems barcajax (Oct 19)
- RE: Current IDS problems Thompson, Jimi (Oct 26)