IDS mailing list archives

Re: Snort with an expert system

From: "Stuart Staniford" <sstaniford () FireEye com>
Date: Fri, 26 Jun 2009 12:30:45 -0700


On Jun 25, 2009, at 5:18 PM, Gary Halleen wrote:

On 6/25/09 3:26 AM, "Stefano Zanero" <s.zanero () securenetwork it>wrote:
"A false positive is an alert that triggers on normal trafficwhere no
intrusion or attack is underway"
That's a good definition, but not really complete. Under that
definition, if you place a rule that flags IRC connections, and it
fires, is that a false positive?
GH: No. If a rule or signature fires on traffic you asked it tofire on,
then it is not a false positive, regardless of whether or not it is an
attack or intrusion.

To echo what Greg said - from a customer perspective, it's all thesame. Customers generally buy both an engine and a set of rules as asingle package, and if the combination is reporting things that aren'tactual attacks, then it's making them unhappy. Few customers arewriting their own rules.

Distinguishing between whether the problem is in the engine or therule is useful internally at the vendor to decide what needs to getfixed, but customers are not likely to care that much.

The way our (FireEye's) technology reduces false positives is toreplay the traffic in an instrumented virtual machine, to see if itreally is an attack or not. We have a lot fewer false positives thantraditional IDS products (we don't ship a release with any that areknown to us, though a few still pop up in the field unfortunately -you can never test against everything that will show up on acustomer's network)


Stuart Staniford.

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Current thread:

Re: Snort with an expert system, (continued)
- - - Re: Snort with an expert system Gary Halleen (Jun 26)
    - Re: Snort with an expert system Stefano Zanero (Jun 26)
    - Re: Snort with an expert system mhellman (Jun 26)
    - Re: Snort with an expert system Martin Roesch (Jun 29)
    - Re: Snort with an expert system Tomas Olsson (Jun 30)
    - Re: Snort with an expert system Stefano Zanero (Jun 30)
    - Re: Snort with an expert system Richard Bejtlich (Jun 25)
    - Re: Snort with an expert system Martin Roesch (Jun 26)
    - Re: Snort with an expert system Gary Halleen (Jun 26)
    - Re: Snort with an expert system Gary Halleen (Jun 26)
    - Re: Snort with an expert system Stuart Staniford (Jun 26)
    - Re: Snort with an expert system Gary Halleen (Jun 26)