RE: False Positives

["Harshul Nayak (ealcatraz)" <harshul () ealcatraz com>]

Hello Andi,

It's quite often many people use the term "false positive" for the tests
conducted by you,
With due respect to all, would like to share with reference to the article
by Marcus J. Ranum for ICSA Labs IDSC :

Your mail is referring to :

• False Attack Stimulus – A stimulus that causes an IDS to trigger an alarm
when no actual exploited attack has
occurred. False attack stimuli generate false positives; and are frequently
seen during badly designed IDS tests or
when attackers attempt to overload an IDSÂ’ alert processing capability using
a tool such as Stick. Many scanning
tools generate false attack stimuli. For example, if a vulnerability
assessment tool connects to a web server and
issues a “GET” for a known-vulnerable CGI-bin script, it is not the same
thing as when a hacking tool connects and
exercises the complete attack via the same script.
Depending on the application protocols in use it may be difficult for the
IDS to distinguish a stimulus that looks for a
vulnerability from a stimulus that actually triggers a compromise in the
system. False attack stimuli are deliberately
used in some IDS testing regimens, attempting to verify the IDSÂ’ function
without placing real systems at risk. When
testing IDS a tester should mix a number of false attack stimuli with true
attack stimuli.

Here is the definition of "false positive"
• False Positive – An alarm generated by an IDS in which the IDS alerts to a
condition that is actually benign. In
other words, the IDS made a mistake. A typical example of a false positive
would be a case when an IDS raises a
“SYN flood” alarm because it sees a large number of SYN packets directed at
a busy web server and mistakenly
concludes it is under attack. Another example of a false positive would be
an IDS raising a “SMTP Wiz attack” alarm
when it observes the string “DEBUG” in the body of an SMTP message.

hope this helps you.

-regs
Harshul
Copyright © 2002 Sintelli
http://www.sintelli.com
----------------------------------------------------------------
"A good listener is usually thinking about something else."

-----Original Message-----
From: Andi Hess [mailto:andi_hess () web de]
Sent: Tuesday, June 03, 2003 4:13 PM
To: focus-ids () securityfocus com
Subject: False Positives




Hi there,

I am new in the field of NIDS and I wonder if the
problem of false positives is really this huge as
mentioned in several publications.

I am considering tools like PCP, Stick (I have never
seen them, but read about them) which can be used to
generate huge amount of packets and each on triggers an
alarm on the victim IDS (a false positive, as the
packets are not a real attack).
As it has been impossible for me to find any of the
above mentioned packet generators - I wonder how the
packets look like?
Is it possible to differentiate 'artifically' generated
false positives from natural ones?

Any hint is welcome!

Thank you.

A.




----------------------------------------------------------------------------
---
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and
analysis
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges,
and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2
----------------------------------------------------------------------------
---


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------