IDS mailing list archives
Re: False Positives with IntruVert
From: Paul Schmehl <pauls () utdallas edu>
Date: 28 Mar 2003 12:17:24 -0600
On Fri, 2003-03-28 at 11:36, Cure, Samuel J wrote:
Looking for some feedback on IntruVert. I have a client that is evaluating IntruVert in the lab and has been getting a lot of false positives on their network. They are afraid to put IntruVert into the IPS mode, of actually stopping traffic based on false positives. Gartner Group has claimed that everyone is moving from Detection to Prevention, but if the underlying technology has this many flawed signatures, I do not see how anyone can confidently use it and start blocking all attacks.
I don't either. There's a lot of jabber about IPS these days, but the reality is, until the false positives problem is solved they will see extremely limited duty.
Has anyone put IntruVert into full Prevention mode and what were the effects? I have not heard of anyone actually using IntruVert's prevention mode, but mostly as an IDS. While it seems that many IDS/IPS reviewers rank and measure finding attacks high, it would seem equally if not, more important to rank false positives high especially in Prevention mode. Is there any reviewers that have compared the false positives and false alarms of all the IDS/IPS products? Has anyone here compared false positives of Introvert, Snort, Cisco, RealSecure, etc?
I haven't seen any studies, but I can tell you from having used Intrusion Inc's SecureNet Pro, snort and Cisco IDS, I'd be very surprised to find a product with *no* false positives - especially those that are purely signature based (almost none are anymore, but they all use signatures.) We are doing some limited IPS with snort, but the only rules we use it on are detections of CodeRed on our network (and I just discovered some false positives with that), and a custom rule I wrote to deliberately block certain IPs that were persistently probing us. I would be extremely hesitant to widely deploy IPS in a production network. -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member ----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation. http://www.spidynamics.com/mktg/webappsecurity71
Current thread:
- False Positives with IntruVert Cure, Samuel J (Mar 28)
- Re: False Positives with IntruVert Paul Schmehl (Mar 28)
- <Possible follow-ups>
- RE: False Positives with IntruVert Bill Boyle (Mar 28)
- RE: False Positives with IntruVert Alan Shimel (Mar 31)