IDS mailing list archives
Re: RE: Tuning false positives - SIM is not the answer
From: Anton Chuvakin <anton () chuvakin org>
Date: Thu, 12 Jan 2006 20:40:38 -0500
All,
SIM systems have nothing to do with the fact your IDS/IPS gets 300,000 alerts per day. It'll just sum it up nicely for you so you don't read them
one at a time, I might be going against the flow and, additionally, running a risk of my vendor hat burning my head, but I just have to barge in. SIM *can* help with false positives. No, really, it can! And, not only thru the use of vulnerability data (collected before or after the alert in question). So, let's say we have an IDS alert that we suspect might be false. What is one of the things an analyst can do (apart from looking at a payload)? Look at what impact the alert had on the target! If your SIM can intelligently match up the logs from target OS and applications, it can do pretty much the same to conclude the validity of the alert. One of my favorite example is matching NIDS web attack sigs with 404 codes in the web server logs. I don't want to go into product details, but I am sure you get a general theme here... Will SIM eliminate *all* false positives and totally replace IDS tuning? No way, but it can help a lot if used diligently, especially in the environment with multiple IDS brands running. Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://www.securitywarrior.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Tuning false positives - SIM is not the answer, (continued)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 12)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 10)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 11)
- RE: Tuning false positives - SIM is not the answer Bruce Young (Jan 15)
- Message not available
- RE: Tuning false positives - SIM is not the answer Ron Gula (Jan 16)