IDS mailing list archives

Re: False Positives

From: "MARTIN M. Bénoni" <benoni_martin () hotmail com>
Date: Wed, 04 Jun 2003 13:20:12 +0000

hello!

I prefer saying first that I aml not really an expert in that field. HoweverI participated to a project where the goal was to set up an anti-intrusion"belt". There I compared Snort and NFR and finally started deplying thisbelt.

I have been working with people with good technical skills, but I do notheard about a "magic" way to avoid false positives. What I did under theirsupervision was to set up two machines with the same NIDS on each, one wasthe reference to see allm the alerts, the other was tuned when seeing thealerts...So, much time spent on tunning the IDS, and, according to wht Ihave heard, it is the longer part of he job!


Sorry I cannot provide a magic solution! :)

-BĂŠnoni

From: Andi Hess <andi_hess () web de>
To: focus-ids () securityfocus com
Subject: False Positives
Date: 3 Jun 2003 16:13:11 -0000

Hi there,

I am new in the field of NIDS and I wonder if the
problem of false positives is really this huge as
mentioned in several publications.

I am considering tools like PCP, Stick (I have never
seen them, but read about them) which can be used to
generate huge amount of packets and each on triggers an
alarm on the victim IDS (a false positive, as the
packets are not a real attack).
As it has been impossible for me to find any of the
above mentioned packet generators - I wonder how the
packets look like?
Is it possible to differentiate 'artifically' generated
false positives from natural ones?

Any hint is welcome!

Thank you.

A.

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities

- including intrusion identification, relevancy, direction, impact andanalysis

- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges,and Requirements" at:

http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------


_________________________________________________________________

Protect your PC - get McAfee.com VirusScan Onlinehttp://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities- including intrusion identification, relevancy, direction, impact and analysis- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:http://www.securityfocus.com/IntruVert-focus-ids2

-------------------------------------------------------------------------------

Current thread:

False Positives Andi Hess (Jun 03)
- RE: False Positives Harshul Nayak (ealcatraz) (Jun 04)
- Re: False Positives Tobias Klein (Jun 05)
- <Possible follow-ups>
- Re: False Positives MARTIN M. Bénoni (Jun 04)
- RE: False Positives Steven Richards (Jun 04)
  - RE: False Positives Fergus Brooks (Jun 04)
- RE: False Positives Dudley, Brian (ISS Chicago) (Jun 05)