IDS mailing list archives
RE: amount of alarms generated by IDS
From: "Harper, Patrick" <patrick.harper () phns com>
Date: Thu, 6 May 2004 07:47:16 -0500
I think it depends on tuning and IDS philosophy. Do you monitor inside or outside you firewall, or both? Do you monitor your internal network? Do you run with all the rules, default set, or do you tailor your ruleset for the devices and servers on your network? -----Original Message----- From: Anton A. Chuvakin [mailto:anton () chuvakin org] Sent: Wednesday, May 05, 2004 4:27 PM To: focus-ids () securityfocus com Subject: Re: amount of alarms generated by IDS
How many alarms will an IDS generate per day? How many percents of them
are false positive? I know it depends on products, the monitor network and other factors, such as date, time etc.
It obviosuly does, but I am wondering how stable the FP ratio ('false positive') will be across different networks. I suspect that everybody sits on their own numbers and thinks 'oh, its different for every network'. But is it really so? Maybe the reason that such information is not widely available is that few people actually analyze their IDS events with the required depth..? If so, it would add some rocket fuel to Gartner's IDS bonfire :-) I have some rough metrics from various production network and various NIDS products (for default signatures), but am very curious what others have. I'd also exclude some notorious signatures (like, NOP on port 80) from analysis, and will only look at "random" FPs vs the systematic ones (such as the above). Discussion anybody? Best, -- Anton A. Chuvakin, Ph.D., GCIA, GCIH http://www.info-secure.org http://www.securitywarrior.com ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: amount of alarms generated by IDS Alberto Gonzalez (May 03)
- <Possible follow-ups>
- Re: amount of alarms generated by IDS Anton A. Chuvakin (May 05)
- Re: amount of alarms generated by IDS Jason Haar (May 06)
- RE: amount of alarms generated by IDS Shawn (May 06)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- Re: amount of alarms generated by IDS Jason (May 11)
- Re: amount of alarms generated by IDS Dennis Cox (May 11)
- Re: amount of alarms generated by IDS Jason (May 13)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Frank Knobbe (May 11)
- Hi, I want to study IPS cto (May 11)