IDS mailing list archives
RE: "False postive" database idea
From: "Jamie French" <whitehats () sympatico ca>
Date: Fri, 26 Sep 2003 16:19:10 -0400
Just caught a part of this thread. I have a port database at http://www.whitehats.ca/main/tools/portquery2/portquery2.html that can be used to house lots of this type of info - even from a false positive perspective. If you can think of ways to improve the schema or create another DB for this purpose I'd be happy to contribute some resources and time when I can afford to. For instance do a query for in the description field for 'root' (less the literal quotes) and see what pops up. Common false positives could be incorporated here too. As you can see this is broader than the scope of a port database. Comments/Suggestions welcome. Jamie French j.french at whitehats.ca -----Original Message----- From: Anton A. Chuvakin [mailto:anton () chuvakin org] Sent: Thursday, September 25 2003 5:22 PM To: George Bakos Cc: focus-ids () securityfocus com Subject: Re: "False postive" database idea George and all,
A bugzilla approach might make more sense, so that the appropriate developers are afforded the opportunity to address any issues with their
Hmm, not sure. That kinda implies that "false positives" are "bugs" in NIDSs, which (IMHO) they are not. Again IMHO, FPs are inherent to signature-based ID and can be reduced (via many means), but not "turned off" (I am assuming everybody saw this equation of FPs vs FNs). The most recent realization I had on that was when my Dragon NIDS produced a P#RN signature as a result of somebody reading an Apache manual (just like the signature doc said it might) :-) Obviously, NIDSs are still incrediblky useful in spite of that! I suspect that vendors might want to adjust signatures if there are persistent reports about some particular sig being very FP-prone, but not really based on every single report. Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 --------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- "False postive" database idea Anton A. Chuvakin (Sep 23)
- <Possible follow-ups>
- RE: "False postive" database idea Chad I. Uretsky (Sep 24)
- Re: "False postive" database idea George Bakos (Sep 24)
- Re: "False postive" database idea Anton A. Chuvakin (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 26)
- RE: "False postive" database idea Jamie French (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 24)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 25)
- Re: "False postive" database idea Chris Reining (Sep 26)
- RE: "False postive" database idea Rob Shein (Sep 26)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 30)