IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: "Sam f. Stover" <sstover () atrc sytexinc com>
Date: Thu, 23 Oct 2003 06:53:41 -0400
On Wednesday, October 22, 2003, at 11:22 PM, Martin Roesch wrote:
In case 2 the "nontextual" isn't a false positive but I think that most people are calling it an FP these days. I *personally* think that's a misconception. What we have in that case is a *real attack* that your IDS is detecting exactly as it was asked to. Just because it doesn't have the additional information about the context or relevance of the event isn't a problem with the IDS, it's a side effect of the way that NIDS have been built for the past 10 years.
In the not too distant past I would have agreed with this - but I think as IDS implementations grew, the way people describe FPs has changed. I think today's IDS *needs* to know "the additional information about the context and relevance" - because the event you are referring to is what I'll call an "effective FP". Effective because any time I spend trying to track down an IIS attack on an apache box is wasted effort. I completely understand your point Marty, because an attack did occur, and the IDS did log it. However, if it is going to log it, then I want it to tell me that the severity of the attack is lessened because it didn't succeed. Even better, I want to see the 404 or 403 error, so I can show my boss why I didn't even bother to look into it.
I want my IDS to differentiate between an IIS attack on my apache box and an IIS attack on an IIS box. I don't really care how it does it. The two main methods, as I see it, are passive fingerprinting or integration with another tool like a vuln scanner. Both have their drawbacks w/ relation to different environments - which could probably fuel a complete thread.
The IDS landscape has changed. Ten years ago, the type of event mentioned was probably not considered a FP. But at that time, IDS was an infant and people weren't dealing with events on the scale of millions per day like they are today. Current-day NIDS need to evolve to solve the problems that current-day users are facing. IMHO 10 years ago, NIDS administrators could afford to be a bit more interested in all kinds of attacks. IDS was a new and exciting technology. I think it's lost some of it's glamour since then and people have to use it as just another tool. And the people I talk to don't have the time nor resources to run down half of the "real" attacks, much less look into attacks that will never succeed.
Just my $0.02 ____ S.f.Stover sstover () iwc sytexinc com
Attachment:
PGP.sig
Description:
Current thread:
- Announcement: Alert Verification for Snort Christopher Kruegel (Oct 21)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 22)
- Re: Announcement: Alert Verification for Snort Aaron Temin (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 23)
- Re: Announcement: Alert Verification for Snort Christopher Kruegel (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Randy Taylor (Oct 23)
- Re: Announcement: Alert Verification for Snort Aaron Temin (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 24)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 27)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 22)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 23)