IDS mailing list archives
RE: Network hardware IPS
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 10 Oct 2003 13:13:21 -0500
On Fri, 2003-10-10 at 12:56, Dave Killion wrote:
Knowing a particular HTTP attack detection signature, I can always invent a URL that I claim is valid, and then therefore will trigger a false positive. With that in mind, I have to go with best guess - the majority of the time, if I see cmd.exe in a URL, is it malicious? Most likely, yes.
But if doesn't have to be. That's why we shoudl strive to reduce false positives. Perhaps a better signature (for started CMD.EXE? instead of jsut CMD.EXE) or some sort of context within the request or even session would be a better solution that to accept ... uhmm... collateral damage by affecting some users with a weak sig.
My whole point in this discussion has been the fact that for a given attack, it is possible to increase accuracy without reducing the detection rate through accuracy and context. That's really all there is to it.
heh...(I guess I should read emails in toto before replying...) I agree that context can increase accuracy, but in my opinion it should be a tool to reduce the detection rate (assuming we're reducing false positives). Perhaps you need to define which detection rate you mean. Alerts/detection that the sensor picks up, or alerts/detection that are passed on to the administrator. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Network hardware IPS, (continued)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 14)
- RE: Network hardware IPS Frank Knobbe (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 07)