IDS mailing list archives
Re: "False postive" database idea
From: George Bakos <gbakos () ists dartmouth edu>
Date: Wed, 24 Sep 2003 09:53:47 -0400
A bugzilla approach might make more sense, so that the appropriate developers are afforded the opportunity to address any issues with their rules/sigs. Once validated as a "loose" attack definition by the developer (or other community-vetted volunteer), the rule/sig could then be flagged as such, giving the more diligent NIDS admins the opportunity to further tune it for their own situation. Then, if someone really wants to use the bugzilla http API to automate their NIDS configuration, they deserve whatever Chad's scenario brings upon them! Cheers. g On Wed, 24 Sep 2003 13:05:57 -0000 "Chad I. Uretsky" <c.uretsky () netiq com> wrote:
While this sounds like a good idea in theory, I can see a drawback. What is to prevent someone from crafting a new attack, checking what it's signature looks like in a NIDS, then submitting that signature for insertion into the database? If the database were then updated with such a signature, those utilizing the database to identify "false positives" would identify the signature of such an attack as a false positive. Of course, if every signature underwent incredible scrutiny before being allowed to be added to the database, perhaps this could be avoided. But who is going to do the scrutinizing? Just a couple of thoughts. Chad Uretsky, CISSP, CCNP -----Original Message----- From: Anton A. Chuvakin [mailto:anton () chuvakin org] Sent: Tuesday, September 23, 2003 11:52 AM To: focus-ids () securityfocus com Subject: "False postive" database idea All, I suspect most people monitoring lots of NIDS sensors start to have their own favorite "false positives". After I upped the number of snort sensors I run, I started seeing lots of nice ones :-) And that made me think of a following idea. Why can't a public database of "false positive" be created so that NIDS users everywhere can submit theirs and make life simple for everybody? Of course, that applies to NIDS with open sigs such as Snort and Dragon. Obviously, lots of FPs are specific to a certain brand of NIDS, but I think it will still be pretty useful (especially since other NIDS vendors are adopting Snort sig language...) For example, submission may take the form of 'Application X during auth phase always triggers snort alarm Y' or 'I keep seeing this in my environment; here is the packet dump, here is the alert X which gets triggered' I suspect implementing such an idea will optimize the NIDS rule development by a large margin and will help to fight off evil anti-NIDS FUD. Just to clarify, "false positive" here is a known benign triggering of a NIDS alert (NOT 'my Apache is hit by CodeRed' some people are confused about :-)). E.g. (just saw it :-)) fetchmail SSL auth under such and such conditions triggers snort 649 SHELLCODE sig. Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 --------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
-- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- "False postive" database idea Anton A. Chuvakin (Sep 23)
- <Possible follow-ups>
- RE: "False postive" database idea Chad I. Uretsky (Sep 24)
- Re: "False postive" database idea George Bakos (Sep 24)
- Re: "False postive" database idea Anton A. Chuvakin (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 26)
- RE: "False postive" database idea Jamie French (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 24)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 25)
- Re: "False postive" database idea Chris Reining (Sep 26)
- RE: "False postive" database idea Rob Shein (Sep 26)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 30)