IDS mailing list archives
Re: Snort with an expert system
From: Richard Bejtlich <taosecurity () gmail com>
Date: Thu, 25 Jun 2009 17:12:31 -0400
On Thu, Jun 25, 2009 at 2:55 PM, Greg Shipley<gshipley () neohapsis com> wrote:
I respect the spirited and intelligent conversation here, but at the risk of sounding like a) an old guy that's been following this stuff for too long and b) a complete jerk: 1. IDS vendor / IDS software engineer / uber-geek view: "it's not technically a false-positive because if signature/ rule / pattern-match/ neugent/ whatever fired on x and it was programmed to identify q but you have to factor in y, and z, and..." <bang head here -----> X 2. Infosec operational person trying to do his job: "Was I attacked and was the attack successful? Yes or NO will suffice, thank you." I submit that for the vast majority of consumers of IDS technology we really only give a crap about #2. So if the device can give us a reasonably accurate answers to #2 we are happy. And if it can't we are unhappy. I think the fact we've been discussing these topics for close to twenty years now suggests that we aren't happy, but maybe I'm too old and being a jerk. :) My .01, -Greg
Hi everyone, This is a cool debate. I submit that it is technically impossible to build anything that will not 100% avoid "#2" false positives. I'm a #1 guy myself; the only real "false positive" is the system telling you it saw something, when that something actually never happened, e.g., "IDS: I saw ICMP! User: There was no ICMP; your engine isn't working properly." For any case you develop that you think is absolutely, positively, without a doubt an "intrusion" that you could identify with an IDS, I can probably develop a case where that activity could turn out to be legitimate, and therefore, in the eyes of the organization, a "false positive." I think the "IDS" has been misnamed from the beginning. (Blame Mr. Anderson?) It should have been Attack Indication System or something similar. After all "If you can detect it, why can't you prevent it?" Now it's really time to "bang head here." :) Sincerely, Richard ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Re: Snort with an expert system, (continued)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Joel Esler (Jun 25)
- Re: Snort with an expert system Greg Shipley (Jun 25)
- Re: Snort with an expert system Martin Roesch (Jun 25)
- Re: Snort with an expert system Gary Halleen (Jun 26)
- Re: Snort with an expert system Stefano Zanero (Jun 26)
- Re: Snort with an expert system mhellman (Jun 26)
- Re: Snort with an expert system Martin Roesch (Jun 29)
- Re: Snort with an expert system Tomas Olsson (Jun 30)
- Re: Snort with an expert system Stefano Zanero (Jun 30)
- Re: Snort with an expert system Richard Bejtlich (Jun 25)
- Re: Snort with an expert system Martin Roesch (Jun 26)
- Re: Snort with an expert system Gary Halleen (Jun 26)
- Re: Snort with an expert system Gary Halleen (Jun 26)
- Re: Snort with an expert system Stuart Staniford (Jun 26)
- Re: Snort with an expert system Gary Halleen (Jun 26)