IDS mailing list archives

Re: Announcement: Alert Verification for Snort

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 23 Oct 2003 21:57:01 -0400


On Oct 23, 2003, at 6:53 AM, Sam f. Stover wrote:

On Wednesday, October 22, 2003, at 11:22  PM, Martin Roesch wrote:
In case 2 the "nontextual" isn't a false positive but I think thatmost people are calling it an FP these days. I *personally* thinkthat's a misconception. What we have in that case is a *real attack*that your IDS is detecting exactly as it was asked to. Just becauseit doesn't have the additional information about the context orrelevance of the event isn't a problem with the IDS, it's a sideeffect of the way that NIDS have been built for the past 10 years.
In the not too distant past I would have agreed with this - but Ithink as IDS implementations grew, the way people describe FPs haschanged. I think today's IDS *needs* to know "the additionalinformation about the context and relevance" - because the event youare referring to is what I'll call an "effective FP". Effectivebecause any time I spend trying to track down an IIS attack on anapache box is wasted effort. I completely understand your pointMarty, because an attack did occur, and the IDS did log it. However,if it is going to log it, then I want it to tell me that the severityof the attack is lessened because it didn't succeed. Even better, Iwant to see the 404 or 403 error, so I can show my boss why I didn'teven bother to look into it.

I agree and we're building new technology at Sourcefire to address it,and I know other companies are either building new stuff or adaptingold stuff (e.g. vuln scanners) to get the same sort of data. I wasjust pointing out that systems like Snort as it currently exists don'thave this notion built into them so saying that alert verificationreduces false positives when it's actually addressing nontextuals issomething that I want to discuss, especially since it's my code that'sproducing the "false postives". :)

I want my IDS to differentiate between an IIS attack on my apache boxand an IIS attack on an IIS box. I don't really care how it does it.The two main methods, as I see it, are passive fingerprinting orintegration with another tool like a vuln scanner. Both have theirdrawbacks w/ relation to different environments - which could probablyfuel a complete thread.


Yup.

The IDS landscape has changed. Ten years ago, the type of eventmentioned was probably not considered a FP. But at that time, IDS wasan infant and people weren't dealing with events on the scale ofmillions per day like they are today. Current-day NIDS need to evolveto solve the problems that current-day users are facing. IMHO 10years ago, NIDS administrators could afford to be a bit moreinterested in all kinds of attacks. IDS was a new and excitingtechnology. I think it's lost some of it's glamour since then andpeople have to use it as just another tool. And the people I talk todon't have the time nor resources to run down half of the "real"attacks, much less look into attacks that will never succeed.

Yes. Separating the wheat from the chaff is becoming increasinglyimportant in IDS as we all know, I'll be interested to see how thedifferent techniques and approaches people are using to address thisproblem actually work in production.


    -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at

http://www.securityfocus.com/sponsor/RSA_focus-ids_031023and use priority code SF4.

---------------------------------------------------------------------------

Current thread:

Re: Announcement: Alert Verification for Snort, (continued)
- - - Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
  - Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 23)
    - Re: Announcement: Alert Verification for Snort Christopher Kruegel (Oct 23)
    - Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 23)
    - Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
    - Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
    - Re: Announcement: Alert Verification for Snort Randy Taylor (Oct 23)
    - Re: Announcement: Alert Verification for Snort Michael Stone (Oct 24)
    - Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 24)
    - Re: Announcement: Alert Verification for Snort Michael Stone (Oct 27)
    - Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
    - Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 23)
    - Re: Announcement: Alert Verification for Snort Ron Gula (Oct 23)
    - Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
    - Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
    - RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
    - Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
  - Re: Announcement: Alert Verification for Snort Raistlin (Oct 23)
    - Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
    - Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
  - Re: Announcement: Alert Verification for Snort Stephen P. Berry (Oct 24)

(Thread continues...)