RE: False Positives (Definitions White Paper)

["Markle, Scott" <smarkle () icsalabs com>]

Hello Steven - The complete white paper previously mentioned can be found
at:
http://www.icsalabs.com/html/communities/ids/whitepaper/FalsePositives.pdf
False Positives: A user's guide to making sense of IDS alarms
was written by Marcus Ranum with the cooperation of the ICSA Labs IDS
Consortium.
Other industry experts involved in the process of creating this paper
include:
Mike Hall - Cisco
Robert Graham - Internet Security Systems
Marty Roesch - Sourcefire
additional vendor representatives were also involved in the process

If anyone has any comments/suggestions for future revision, 
I would be glad to put them before the consortium for review.

Thanks,
Scott Markle

(((((((((((((((((((((((((((((ICSA Labs)))))))))))))))))))))))))))))
Scott Markle                                    smarkle () icsalabs com
Technology Program Manager                      www.icsalabs.com
717.790.8112v                                   717.790.8170.fx
PGP 46D9 45FB 4270 3278  6059 9FFB 4B82 E9D2


-----Original Message-----
From: Steven Richards [mailto:srichards () netscreen com]
Sent: Wednesday, June 04, 2003 4:19 PM
To: focus-ids () securityfocus com
Cc: 'Harshul Nayak (ealcatraz)'; Andi Hess
Subject: RE: False Positives


 
-----BEGIN PGP SIGNED MESSAGE-----

<insert standard vendor disclaimer here>

I would like to offer up a couple of definitions of terms for
discussion.

We in the security space, more specifically the IDS/P space should
agree on some standard language.


In my opinion, these terms should be considered:

False Positive=   Sensor is supposed to be looking for 'xyz' and what
actually goes across the wire is 'abc' which generates an alert.

Non-Security Event=   Sensor is looking for 'XXX' it sees 'XXX' go
over the wire, *but* it is not an actual "Security Event" because the
corporate security policy and/or the system configurations are
intentionally not configured to disallow 'XXX'.  For example: you
configure your systems to allow Null Login NetBIOS Sessions (for
whatever reason) and your corporate security policies do not disallow
this.  The sensor sees this traffic and it generates an alert.  It
actually happened on your network.  It's just that you don't *care*
about it.

***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------