IDS mailing list archives
Re: Snort with an expert system
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 20 Apr 2009 13:51:14 -0400
I think the best way to reduce false positives is proactively at tune-time. If you look into my rhetoric regarding "target-based" IDS (and IPS) you'll see that I've been espousing a position where false positives are an artifact of poorly tuned engines. You have two options to try to rectify this issue: 1) Better tuning, preferably based on intelligence surrounding the attributes of devices in the defended network and automation to bring that info to the sensor technology. 2) Post-detection contextualization utilizing vulnerability mapping and automated methods for assessing the relevance of events versus the composition of the target that they're aimed at. I think that method 1 is potentially stronger than 2 because it not only reduces false positives, it also reduces false negatives by reducing the informational disparity between the attacker and the defending sensor technology. Regarding your question, if you turn on any of the rule sets blindly you're going to get a lot of noise (false positives) due to the lack of tuning so to some degree they're all equally appropriate. Probably choosing the rules that cover protocols you're most comfortable with makes the most sense though so you can understand the nature of the data they're generating. Marty On Sat, Apr 18, 2009 at 11:07 AM, Stephen Mullins <steve.mullins.work () gmail com> wrote:
False positives will vary from network to network. You can alter the rules to eliminate false positives you run into. I wouldn't use the spyware rules unless you want Snort telling you everyone has Earthlink toolbar installed when they check their Earthlink ISP webmail. On Sat, Apr 4, 2009 at 8:22 AM, Timmmy <bluesinblood () gmail com> wrote:Hi everybody I'm coupling an IDS with an expert system. I want to prove that this could decrease the number of false positives. I chose Snort as an IDS. Because of the huge number of signatures, I just want (for now) to take a little set of signatures and design the expert system rules according to theses signatures to work like an administrator would do (analyse logs, monitor the alerts, know if it's a false positive or not, make decision). So, what is in your opinion the right set of signatures to take (for example, the signatures that generate a lot of false positives) ? Thx! -- View this message in context: http://www.nabble.com/Snort-with-an-expert-system-tp22881974p22881974.html Sent from the IDS (Intrusion Detection System) mailing list archive at Nabble.com.
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org
Current thread:
- Snort with an expert system Timmmy (Apr 07)
- Re: Snort with an expert system Stephen Mullins (Apr 20)
- Re: Snort with an expert system Martin Roesch (Apr 20)
- Re: Snort with an expert system Stephen Mullins (Apr 20)