IDS mailing list archives
Re: Tuning false positives
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Sun, 1 Jan 2006 21:54:43 +0530
On 28/12/05 11:37 +0530, Pukhraj Singh wrote:
I agree with you on this point. Most products are prone to false positives in the production environment, when run in their default mode. This highlights the lack of good QA testing methodology for the product. Most vendors rub their hands off after making signatures and
Aren't false positives often a result of organisational policy and resulting network structure (or lack thereof)?
protocols parsers. One thing they don't realize that QA is an equally important process because companies can't afford to drop (mission critical) sessions due to a false positives. I am afraid there's
Which is why most of them can run in IDS mode, and only alert. Tuning is a must. A false positive due to a bad signature is a vendor QA failure. A false positive due to the system not knowing what your network policies are in the default state is user error. What works on your network will not work on mine. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Tuning false positives Joel M Snyder (Jan 02)
- <Possible follow-ups>
- RE: Tuning false positives Ofer Shezaf (Jan 05)
- RE: Tuning false positives mhellman (Jan 05)
- Re: Tuning false positives Raffael Marty (Jan 11)
- Re: Tuning false positives mhellman (Jan 09)
- Re: Tuning false positives (SIM and VM) Ron Gula (Jan 12)
- Re: Tuning false positives (SIM and VM) David W. Goodrum (Jan 13)
- Re: Tuning false positives Raffael Marty (Jan 11)
- Re: Tuning false positives Devdas Bhagat (Jan 05)
- RE: Tuning false positives Gary Halleen (ghalleen) (Jan 05)