IDS mailing list archives
RE: False Positives
From: Steven Richards <srichards () netscreen com>
Date: Wed, 4 Jun 2003 13:19:29 -0700
-----BEGIN PGP SIGNED MESSAGE----- <insert standard vendor disclaimer here> I would like to offer up a couple of definitions of terms for discussion. We in the security space, more specifically the IDS/P space should agree on some standard language. In my opinion, these terms should be considered: False Positive= Sensor is supposed to be looking for 'xyz' and what actually goes across the wire is 'abc' which generates an alert. Non-Security Event= Sensor is looking for 'XXX' it sees 'XXX' go over the wire, *but* it is not an actual "Security Event" because the corporate security policy and/or the system configurations are intentionally not configured to disallow 'XXX'. For example: you configure your systems to allow Null Login NetBIOS Sessions (for whatever reason) and your corporate security policies do not disallow this. The sensor sees this traffic and it generates an alert. It actually happened on your network. It's just that you don't *care* about it.
-----Original Message----- From: Harshul Nayak (ealcatraz) [mailto:harshul () ealcatraz com] Sent: Wednesday, June 04, 2003 1:11 PM To: Andi Hess Cc: focus-ids () securityfocus com Subject: RE: False Positives Hello Andi, It's quite often many people use the term "false positive" for the tests conducted by you, With due respect to all, would like to share with reference to the article by Marcus J. Ranum for ICSA Labs IDSC : Your mail is referring to : * False Attack Stimulus - A stimulus that causes an IDS to trigger an alarm when no actual exploited attack has occurred. False attack stimuli generate false positives; and are frequently seen during badly designed IDS tests or when attackers attempt to overload an IDS' alert processing capability using a tool such as Stick. Many scanning tools generate false attack stimuli. For example, if a vulnerability assessment tool connects to a web server and issues a "GET" for a known-vulnerable CGI-bin script, it is not the same thing as when a hacking tool connects and exercises the complete attack via the same script. Depending on the application protocols in use it may be difficult for the IDS to distinguish a stimulus that looks for a vulnerability from a stimulus that actually triggers a compromise in the system. False attack stimuli are deliberately used in some IDS testing regimens, attempting to verify the IDS' function without placing real systems at risk. When testing IDS a tester should mix a number of false attack stimuli with true attack stimuli. Here is the definition of "false positive" * False Positive - An alarm generated by an IDS in which the IDS alerts to a condition that is actually benign. In other words, the IDS made a mistake. A typical example of a false positive would be a case when an IDS raises a "SYN flood" alarm because it sees a large number of SYN packets directed at a busy web server and mistakenly concludes it is under attack. Another example of a false positive would be an IDS raising a "SMTP Wiz attack" alarm when it observes the string "DEBUG" in the body of an SMTP message. hope this helps you. -regs Harshul Copyright © 2002 Sintelli http://www.sintelli.com ---------------------------------------------------------------- "A good listener is usually thinking about something else." -----Original Message----- From: Andi Hess [mailto:andi_hess () web de] Sent: Tuesday, June 03, 2003 4:13 PM To: focus-ids () securityfocus com Subject: False Positives Hi there, I am new in the field of NIDS and I wonder if the problem of false positives is really this huge as mentioned in several publications. I am considering tools like PCP, Stick (I have never seen them, but read about them) which can be used to generate huge amount of packets and each on triggers an alarm on the victim IDS (a false positive, as the packets are not a real attack). As it has been impossible for me to find any of the above mentioned packet generators - I wonder how the packets look like? Is it possible to differentiate 'artifically' generated false positives from natural ones? Any hint is welcome! Thank you. A. -------------------------------------------------------------- -------------- --- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------- -------------- --- -------------------------------------------------------------- ----------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------- -----------------
-----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQEVAwUBPt5VYWNGcU7aCIRPAQG9+ggAgnFVJUYL/AL65LrpGGs54SKtbX2uze49 xOneZcytR5GDi0PROh139SMB6ytrleIQjodtckAxGsZxsH4nASL2XG88FfjyXOkE l8gj6QyQoQGCE2FQf8333q1FOkCtT2BSm0YpY1/ekVgeDhZz05iuG++hF5IUPQZg l3YMv2Oes1/mW9jOS3MOP4Bggq7xnKb7LBPr7eJFmhW0HZe+AR8knj2aV54OB3+N DQhfgrBDKAM+Xqg/cqaG5L5KVejfRue7JEWfTt7kqDBP8hdxejAQJx3G7sb1yj5/ gN2Kq4SKBP0f1hbBPxmRC2+oEGffy/+hAW4DiMg/NhkZb/IvvPMAqw== =wkY4 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- False Positives Andi Hess (Jun 03)
- RE: False Positives Harshul Nayak (ealcatraz) (Jun 04)
- Re: False Positives Tobias Klein (Jun 05)
- <Possible follow-ups>
- Re: False Positives MARTIN M. Bénoni (Jun 04)
- RE: False Positives Steven Richards (Jun 04)
- RE: False Positives Fergus Brooks (Jun 04)
- RE: False Positives Dudley, Brian (ISS Chicago) (Jun 05)