IDS mailing list archives
RE: False Positives
From: "Harshul Nayak (ealcatraz)" <harshul () ealcatraz com>
Date: Wed, 4 Jun 2003 18:11:12 -0000
Hello Andi, It's quite often many people use the term "false positive" for the tests conducted by you, With due respect to all, would like to share with reference to the article by Marcus J. Ranum for ICSA Labs IDSC : Your mail is referring to : • False Attack Stimulus – A stimulus that causes an IDS to trigger an alarm when no actual exploited attack has occurred. False attack stimuli generate false positives; and are frequently seen during badly designed IDS tests or when attackers attempt to overload an IDS’ alert processing capability using a tool such as Stick. Many scanning tools generate false attack stimuli. For example, if a vulnerability assessment tool connects to a web server and issues a “GET” for a known-vulnerable CGI-bin script, it is not the same thing as when a hacking tool connects and exercises the complete attack via the same script. Depending on the application protocols in use it may be difficult for the IDS to distinguish a stimulus that looks for a vulnerability from a stimulus that actually triggers a compromise in the system. False attack stimuli are deliberately used in some IDS testing regimens, attempting to verify the IDS’ function without placing real systems at risk. When testing IDS a tester should mix a number of false attack stimuli with true attack stimuli. Here is the definition of "false positive" • False Positive – An alarm generated by an IDS in which the IDS alerts to a condition that is actually benign. In other words, the IDS made a mistake. A typical example of a false positive would be a case when an IDS raises a “SYN flood” alarm because it sees a large number of SYN packets directed at a busy web server and mistakenly concludes it is under attack. Another example of a false positive would be an IDS raising a “SMTP Wiz attack” alarm when it observes the string “DEBUG” in the body of an SMTP message. hope this helps you. -regs Harshul Copyright © 2002 Sintelli http://www.sintelli.com ---------------------------------------------------------------- "A good listener is usually thinking about something else." -----Original Message----- From: Andi Hess [mailto:andi_hess () web de] Sent: Tuesday, June 03, 2003 4:13 PM To: focus-ids () securityfocus com Subject: False Positives Hi there, I am new in the field of NIDS and I wonder if the problem of false positives is really this huge as mentioned in several publications. I am considering tools like PCP, Stick (I have never seen them, but read about them) which can be used to generate huge amount of packets and each on triggers an alarm on the victim IDS (a false positive, as the packets are not a real attack). As it has been impossible for me to find any of the above mentioned packet generators - I wonder how the packets look like? Is it possible to differentiate 'artifically' generated false positives from natural ones? Any hint is welcome! Thank you. A. ---------------------------------------------------------------------------- --- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- False Positives Andi Hess (Jun 03)
- RE: False Positives Harshul Nayak (ealcatraz) (Jun 04)
- Re: False Positives Tobias Klein (Jun 05)
- <Possible follow-ups>
- Re: False Positives MARTIN M. Bénoni (Jun 04)
- RE: False Positives Steven Richards (Jun 04)
- RE: False Positives Fergus Brooks (Jun 04)
- RE: False Positives Dudley, Brian (ISS Chicago) (Jun 05)