IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 23 Oct 2003 22:01:26 -0400
On Oct 23, 2003, at 7:03 PM, Christopher Kruegel wrote:
In case 2 the "nontextual" isn't a false positive but I think that most people are calling it an FP these days. I *personally* think that's a misconception. What we have in that case is a *real attack* that your IDS is detecting exactly as it was asked to. Just because it doesn't have the additional information about the context or relevance of the event isn't a problem with the IDS, it's a side effect of the way that NIDS have been built for the past 10 years.In the not too distant past I would have agreed with this - but I think as IDS implementations grew, the way people describe FPs has changed. I think today's IDS *needs* to know "the additional information about the context and relevance" - because the event you are referring to is what I'll call an "effective FP". Effective because any time I spend trying to track down an IIS attack on an apache box is wasted effort. I completely understand your point Marty, because an attack did occur, and the IDS did log it. However, if it is going to log it, then I want it to tell me that the severity of the attack is lessened because it didn't succeed. Even better, I want to see the 404 or 403 error, so I can show my boss why I didn't even bother to look into it.From a theoretical point of view, I think that Marty is right and his classification is correct. In fact, we had a discussion about whether 'alert verification' was the correct term to use. We then concluded that most people don't care why they spent time looking at an alert that doesn't matter to them and that they refer to such alerts in general as false positives. That's why we used the terminology that we did.
I think alert verification is a fine term, I just want people to understand the distinction between false positives and nontextuals. We can do something about both of those cases but they require different solutions to address. I don't want to confuse the issue if I come out with separate solutions that both address "false positives", people will ask why I couldn't get it right the first time. :)
-Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register athttp://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4.
---------------------------------------------------------------------------
Current thread:
- Announcement: Alert Verification for Snort Christopher Kruegel (Oct 21)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 22)
- Re: Announcement: Alert Verification for Snort Aaron Temin (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 23)
- Re: Announcement: Alert Verification for Snort Christopher Kruegel (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Randy Taylor (Oct 23)
- Re: Announcement: Alert Verification for Snort Aaron Temin (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 27)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 22)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 23)
- Re: Announcement: Alert Verification for Snort Ron Gula (Oct 23)
- Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
- Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)