IDS mailing list archives

False Positives

From: Andi Hess <andi_hess () web de>
Date: 3 Jun 2003 16:13:11 -0000



Hi there,

I am new in the field of NIDS and I wonder if the
problem of false positives is really this huge as
mentioned in several publications.

I am considering tools like PCP, Stick (I have never
seen them, but read about them) which can be used to
generate huge amount of packets and each on triggers an
alarm on the victim IDS (a false positive, as the
packets are not a real attack).
As it has been impossible for me to find any of the
above mentioned packet generators - I wonder how the
packets look like? 
Is it possible to differentiate 'artifically' generated
false positives from natural ones?

Any hint is welcome!

Thank you.

A.




-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------

Current thread:

False Positives Andi Hess (Jun 03)
- RE: False Positives Harshul Nayak (ealcatraz) (Jun 04)
- Re: False Positives Tobias Klein (Jun 05)
- <Possible follow-ups>
- Re: False Positives MARTIN M. Bénoni (Jun 04)
- RE: False Positives Steven Richards (Jun 04)
  - RE: False Positives Fergus Brooks (Jun 04)
- RE: False Positives Dudley, Brian (ISS Chicago) (Jun 05)