IDS mailing list archives
Re: "False postive" database idea
From: George Bakos <gbakos () ists dartmouth edu>
Date: Thu, 25 Sep 2003 17:58:01 -0400
On Thu, 25 Sep 2003 17:22:08 -0400 (EDT) "Anton A. Chuvakin" <anton () chuvakin org> wrote:
George and all,A bugzilla approach might make more sense, so that the appropriate developers are afforded the opportunity to address any issues with their
Hmm, not sure. That kinda implies that "false positives" are "bugs" in NIDSs, which (IMHO) they are not.
I agree completely. Bugzilla submissions need not imply a flaw, merely a condition that is being brought to the attention of the community/developers. Should there be a number of submissions pertaining to rule XYZ, that knowledge may help an analyst in their triage of the dozens of daily "high-priority" reports. Again IMHO, FPs are inherent to
signature-based ID and can be reduced (via many means), but not "turned off" (I am assuming everybody saw this equation of FPs vs FNs). The most recent realization I had on that was when my Dragon NIDS produced a P#RN signature as a result of somebody reading an Apache manual (just like the signature doc said it might) :-) Obviously, NIDSs are still incrediblky useful in spite of that! I suspect that vendors might want to adjust signatures if there are persistent reports about some particular sig being very FP-prone, but not really based on every single report.
Not necessarily vendors, but users. One of the primary benefits of open-source rule definitions is the ability to tune any NIDS rule to a greater extent than just ON, OFF, or report threshold X. The challenge of deciding, initially and over time, which of the thousands of available rules to tune can be a daunting one for many, and can be made considerably simpler through such a database. Unfortunately, I have been at too many sites where default rulessets are turned on and left alone, resulting in mountains of impertinent logs. Statistical analysis methods and enterprise management consoles help, but simple site/organization-specific rule tuning yields huge payoffs. Cheers!
Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org
-- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- "False postive" database idea Anton A. Chuvakin (Sep 23)
- <Possible follow-ups>
- RE: "False postive" database idea Chad I. Uretsky (Sep 24)
- Re: "False postive" database idea George Bakos (Sep 24)
- Re: "False postive" database idea Anton A. Chuvakin (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 26)
- RE: "False postive" database idea Jamie French (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 24)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 25)
- Re: "False postive" database idea Chris Reining (Sep 26)
- RE: "False postive" database idea Rob Shein (Sep 26)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 30)