Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: false positive generator

From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Wed, 11 Feb 2004 10:38:45 +0100
Hi Matt,

I think you misses something...


Well, if anyone knows something that's a false positive, let the snort 
developers know so they can fix it ASAP.


Yes, that's true. But not all false positives can be eleminated.

How about UDP rules searching for a special content in the payload?


Are you really trying to generate _false_ positives, or just generate 
alerts? Not all alerts require an actual overflow to occur..


The idea is to create alerts which are recognized by the sensor
but do not belong to a real attack. This is of course useful for
debugging/testing/benchmarking. Think about a tool like ACID,
it won't make fun to develop a new one if you have only one
kind of alerts in the database...


A nessus safe-mode scan should fire off at least a few alerts, although 
I'll admit I haven't tried it recently.


Yes, but this are only a few. And you can't really test all rules.

A false positive generator like "fpg" tries to build for every rule
an appropiate network packet that should raise the rule to generate
an alert. This alert should then be found in the logs or mucht better
in the database. Since you know how the packet was built you should
be able to verify that the alert information in the database are
correct or not. 

How will you do this with only sniffing on real attacks? You must
have a tcpdump running parallel to snort to see if the alerts are
relatedt to the original network packet?

So finally: False positive generators are very useful under certain
circumstances.

Best regards

Dirk



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: