Re: Announcement: Alert Verification for Snort

["Raistlin" <raistlin () gioco net>]

Hi Martin, hi all.

My own .02 EUR:

> 1) Detect, Attack Present, Vulnerable:  True Positive
> 2) Detect, Attack Present, Not Vulnerable: Nontextual (i.e. detect
> requiring contextual data to resolve)

Actually, I think that vulnerable or non-vulnerable is not tied to the
true/false positive concept... so I'd say:

Detect, Attack Present, Signature Present, [vuln|not]: True Positive

(thinking of a signature based system, reword it for your favorite system)

> 4) No Detect, Attack Present, Vulnerable: False Negative
> 5) No Detect, Attack Present, Not Vulnerable: ?

Here it is a bit more complex, but I'd say
No Detect, Attack Present, Signature Present, [Vuln|not vuln]: False
Negative

No Detect, Attack Present, Signature Present, Not Vulnerable: a lucky false
negative :)

> 6) No Detect, No Attack, [vuln|not vuln]: Don't care (true negative?)

True negative is the correct definition, but it encloses also:

No Detect, [Attack|No Attack], No Signature, [vuln|not vuln]

> In case 2 the "nontextual" isn't a false positive but I think that most
> people are calling it an FP these days.  I *personally* think that's a
> misconception.

I agree wholeheartedly.

Stefano "Raistlin" Zanero
System Administrator Gioco.Net
public PGP key block at http://gioco.net/pgpkeys



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------