Re: Announcement: Alert Verification for Snort

["Sam f. Stover" <sstover () atrc sytexinc com>]

On Thursday, October 23, 2003, at 07:03  PM, Christopher Kruegel wrote:

> From a theoretical point of view, I think that Marty is right and his 
> classification is correct.

I probably agree with you both "theoretically".  However, I was talking 
about what actually happens to real users.  I used to work for an IDS 
vendor, and I know how much of a glass bubble it can be.  Out in the 
"real world" however, theory is vastly different than practice.

>  In fact, we had a discussion about whether 'alert verification' was 
> the correct term to use. We then concluded that most people don't care 
> why they spent time looking at an alert that doesn't matter to them 
> and that they refer to such alerts in general as false positives.

This is *not* my experience.  I personally get extremely annoyed if 
it's my fault (or the fault of the tool I chose to employ) that leads 
me on a wild goose chase.  I want my IDS to learn with me, not 
constantly provide me with the same level of annoyance.  It needs to 
evolve.

>  That's why we used the terminology that we did.

That's cool.  I know my opinion doesn't really matter in the end.  I 
just thought I'd contribute my experiences.  ;-)


____
S.f.Stover
sstover () iwc sytexinc com

Attachment: PGP.sig
Description: