IDS mailing list archives
RE: False Positives (Definitions White Paper)
From: "Markle, Scott" <smarkle () icsalabs com>
Date: Thu, 5 Jun 2003 09:47:26 -0400
Hello Steven - The complete white paper previously mentioned can be found at: http://www.icsalabs.com/html/communities/ids/whitepaper/FalsePositives.pdf False Positives: A user's guide to making sense of IDS alarms was written by Marcus Ranum with the cooperation of the ICSA Labs IDS Consortium. Other industry experts involved in the process of creating this paper include: Mike Hall - Cisco Robert Graham - Internet Security Systems Marty Roesch - Sourcefire additional vendor representatives were also involved in the process If anyone has any comments/suggestions for future revision, I would be glad to put them before the consortium for review. Thanks, Scott Markle (((((((((((((((((((((((((((((ICSA Labs))))))))))))))))))))))))))))) Scott Markle smarkle () icsalabs com Technology Program Manager www.icsalabs.com 717.790.8112v 717.790.8170.fx PGP 46D9 45FB 4270 3278 6059 9FFB 4B82 E9D2 -----Original Message----- From: Steven Richards [mailto:srichards () netscreen com] Sent: Wednesday, June 04, 2003 4:19 PM To: focus-ids () securityfocus com Cc: 'Harshul Nayak (ealcatraz)'; Andi Hess Subject: RE: False Positives -----BEGIN PGP SIGNED MESSAGE----- <insert standard vendor disclaimer here> I would like to offer up a couple of definitions of terms for discussion. We in the security space, more specifically the IDS/P space should agree on some standard language. In my opinion, these terms should be considered: False Positive= Sensor is supposed to be looking for 'xyz' and what actually goes across the wire is 'abc' which generates an alert. Non-Security Event= Sensor is looking for 'XXX' it sees 'XXX' go over the wire, *but* it is not an actual "Security Event" because the corporate security policy and/or the system configurations are intentionally not configured to disallow 'XXX'. For example: you configure your systems to allow Null Login NetBIOS Sessions (for whatever reason) and your corporate security policies do not disallow this. The sensor sees this traffic and it generates an alert. It actually happened on your network. It's just that you don't *care* about it. *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- RE: False Positives (Definitions White Paper) Markle, Scott (Jun 05)
- IDS and NMS Mayank-Bhatnagar (Jun 13)
- RE: IDS and NMS David Markle (Jun 17)
- RE: IDS and NMS Jim Butterworth (Jun 17)
- Re: IDS and NMS Devdas Bhagat (Jun 17)
- RE: IDS and NMS Jim Butterworth (Jun 17)
- Re: IDS and NMS Devdas Bhagat (Jun 18)
- RE: IDS and NMS Jim Butterworth (Jun 18)
- Re: IDS and NMS Devdas Bhagat (Jun 18)
- RE: IDS and NMS David Markle (Jun 17)
- RE: IDS and NMS Mayank-Bhatnagar (Jun 19)
- IDS and NMS Mayank-Bhatnagar (Jun 13)
- Re: IDS and NMS Mayank-Bhatnagar (Jun 18)