IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: "False postive" database idea

From: "Jamie French" <whitehats () sympatico ca>
Date: Fri, 26 Sep 2003 16:19:10 -0400
Just caught a part of this thread.

I have a port database at
http://www.whitehats.ca/main/tools/portquery2/portquery2.html that can be
used to house lots of this type of info - even from a false positive
perspective.

If you can think of ways to improve the schema or create another DB for this
purpose I'd be happy to contribute some resources and time when I can afford
to.

For instance do a query for in the description field for 'root' (less the
literal quotes) and see what pops up.

Common false positives could be incorporated here too.  As you can see this
is broader than the scope of a port database.

Comments/Suggestions welcome.

Jamie French
j.french at whitehats.ca



-----Original Message-----
From: Anton A. Chuvakin [mailto:anton () chuvakin org]
Sent: Thursday, September 25 2003 5:22 PM
To: George Bakos
Cc: focus-ids () securityfocus com
Subject: Re: "False postive" database idea


George and all,


A bugzilla approach might make more sense, so that the appropriate
developers are afforded the opportunity to address any issues with their

Hmm, not sure. That kinda implies that "false positives" are "bugs" in
NIDSs, which (IMHO) they are not. Again IMHO, FPs are inherent to
signature-based ID and can be reduced (via many means), but not "turned
off" (I am assuming everybody saw this equation of FPs vs FNs).  The most
recent realization I had on that was when my Dragon NIDS produced a P#RN
signature as a result of somebody reading an Apache manual (just like the
signature doc said it might) :-) Obviously, NIDSs are still incrediblky
useful in spite of that!

I suspect that vendors might want to adjust signatures if there are
persistent reports about some particular sig being very FP-prone, but not
really based on every single report.

Best,
--
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------



---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: