Re: Snort with an expert system

[Martin Roesch <roesch () sourcefire com>]

I think the best way to reduce false positives is proactively at
tune-time.  If you look into my rhetoric regarding "target-based" IDS
(and IPS) you'll see that I've been espousing a position where false
positives are an artifact of poorly tuned engines.  You have two
options to try to rectify this issue:

1) Better tuning, preferably based on intelligence surrounding the
attributes of devices in the defended network and automation to bring
that info to the sensor technology.

2) Post-detection contextualization utilizing vulnerability mapping
and automated methods for assessing the relevance of events versus the
composition of the target that they're aimed at.

I think that method 1 is potentially stronger than 2 because it not
only reduces false positives, it also reduces false negatives by
reducing the informational disparity between the attacker and the
defending sensor technology.

Regarding your question, if you turn on any of the rule sets blindly
you're going to get a lot of noise (false positives) due to the lack
of tuning so to some degree they're all equally appropriate.  Probably
choosing the rules that cover protocols you're most comfortable with
makes the most sense though so you can understand the nature of the
data they're generating.

Marty


On Sat, Apr 18, 2009 at 11:07 AM, Stephen Mullins
<steve.mullins.work () gmail com> wrote:
> False positives will vary from network to network.  You can alter the
> rules to eliminate false positives you run into.
>
> I wouldn't use the spyware rules unless you want Snort telling you
> everyone has Earthlink toolbar installed when they check their
> Earthlink ISP webmail.
>
> On Sat, Apr 4, 2009 at 8:22 AM, Timmmy <bluesinblood () gmail com> wrote:
> > Hi everybody
> > I'm coupling an IDS with an expert system. I want to prove that this could
> > decrease the number of false positives. I chose Snort as an IDS.
> > Because of the huge number of signatures, I just want (for now) to take a
> > little set of signatures and design the expert system rules according to
> > theses signatures to work like an administrator would do (analyse logs,
> > monitor the alerts, know if it's a false positive or not, make decision).
> > So, what is in your opinion the right set of signatures to take (for
> > example, the signatures that generate a lot of false positives) ?
> > Thx!
> > --
> > View this message in context: http://www.nabble.com/Snort-with-an-expert-system-tp22881974p22881974.html
> > Sent from the IDS (Intrusion Detection System) mailing list archive at Nabble.com.



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org