Re: False positives, negatives and don't cares

[Bennett Todd <bet () rahul net>]

A very thought-provoking note (no surprise there).

I think it's fair to distinguish genuine false-positives (result of
flawed analysis/sigs/whatever triggering on truly legit traffic)
from irrelevent-to-local-context attacks.

And I agree that these irrelevent-to-local-context attacks can
produce useful intelligence.

But to my tastes, a more exciting way to approach things is to
programmatically weed the sig set down, resulting in small enough
analytic sets to allow very fast processing.

[ Disclaimer re following: I've looked at the product, but not
  actually used it. ]

I think nCircle has a pretty sexy product in that vein; they've
worked on non-disruptive automated vuln scanning, and coupled that
to an IDS engine that's used to watch for attempts to exploit
apparently-vulnerable servers. So on a sufficiently tightly-tuned
plant, the IDS engine would normally not be active; it'd only begin
looking for a small number of sigs when a config error opens a vuln,
and would only remain active until admins respond to the alerts and
plug the holes.

-Bennett

Attachment: _bin
Description: