IDS mailing list archives
RE: "False positive" database idea
From: "Thompson, Jimi" <JimiT () mail cox smu edu>
Date: Wed, 24 Sep 2003 15:22:59 -0500
All, I would suggest that while I might not use the bugzilla API to automate my snort config, I would love to be able to search such a database to see if I am dealing with a known issue or if I am indeed under some kind of attack. This would be especially helpful in dealing with implementations of new software into an existing environment. I think that it might also be used to give feedback to software vendors, which might be able to help reduce the number of false alarms. 2 cents, Jimi -----Original Message----- From: George Bakos [mailto:gbakos () ists dartmouth edu] Sent: Wednesday, September 24, 2003 8:54 AM To: focus-ids () securityfocus com Subject: Re: "False postive" database idea A bugzilla approach might make more sense, so that the appropriate developers are afforded the opportunity to address any issues with their rules/sigs. Once validated as a "loose" attack definition by the developer (or other community-vetted volunteer), the rule/sig could then be flagged as such, giving the more diligent NIDS admins the opportunity to further tune it for their own situation. Then, if someone really wants to use the bugzilla http API to automate their NIDS configuration, they deserve whatever Chad's scenario brings upon them! Cheers. g On Wed, 24 Sep 2003 13:05:57 -0000 "Chad I. Uretsky" <c.uretsky () netiq com> wrote:
While this sounds like a good idea in theory, I can see a drawback. What is to prevent someone from crafting a new attack, checking what it's signature looks like in a NIDS, then submitting that signature for
insertion
into the database? If the database were then updated with such a
signature,
those utilizing the database to identify "false positives" would identify the signature of such an attack as a false positive. Of course, if every signature underwent incredible scrutiny before being allowed to be added to the database, perhaps this could be avoided. But
who
is going to do the scrutinizing? Just a couple of thoughts. Chad Uretsky, CISSP, CCNP -----Original Message----- From: Anton A. Chuvakin [mailto:anton () chuvakin org] Sent: Tuesday, September 23, 2003 11:52 AM To: focus-ids () securityfocus com Subject: "False postive" database idea All, I suspect most people monitoring lots of NIDS sensors start to have their own favorite "false positives". After I upped the number of snort sensors I run, I started seeing lots of nice ones :-) And that made me think of a following idea. Why can't a public database of "false positive" be created so that NIDS users everywhere can submit theirs and make life simple for everybody? Of course, that applies to NIDS with open sigs such as Snort and Dragon. Obviously, lots of FPs are specific to a certain brand of NIDS, but I think it will still be pretty useful (especially since other NIDS vendors are adopting Snort sig language...) For example, submission may take the form of 'Application X during auth phase always triggers snort alarm Y' or 'I keep seeing this in my environment; here is the packet dump, here is the alert X which gets triggered' I suspect implementing such an idea will optimize the NIDS rule development by a large margin and will help to fight off evil anti-NIDS FUD. Just to clarify, "false positive" here is a known benign triggering of a NIDS alert (NOT 'my Apache is hit by CodeRed' some people are confused about :-)). E.g. (just saw it :-)) fetchmail SSL auth under such and such conditions triggers snort 649 SHELLCODE sig. Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org
---------------------------------------------------------------------------
Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
--------------------------------------------------------------------------- -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 --------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- RE: "False positive" database idea Thompson, Jimi (Sep 25)