IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: False Positives with IntruVert

From: Paul Schmehl <pauls () utdallas edu>
Date: 28 Mar 2003 12:17:24 -0600
On Fri, 2003-03-28 at 11:36, Cure, Samuel J wrote:

Looking for some feedback on IntruVert.  I have a client that is evaluating
IntruVert in the lab and has been getting a lot of false positives on their
network.  They are afraid to put IntruVert into the IPS mode, of actually
stopping traffic based on false positives.  Gartner Group has claimed that
everyone is moving from Detection to Prevention, but if the underlying
technology has this many flawed signatures, I do not see how anyone can
confidently use it and start blocking all attacks. 
 

I don't either.  There's a lot of jabber about IPS these days, but the
reality is, until the false positives problem is solved they will see
extremely limited duty.


Has anyone put IntruVert into full Prevention mode and what were the
effects?  I have not heard of anyone actually using IntruVert's prevention
mode, but mostly as an IDS. 

While it seems that many IDS/IPS reviewers rank and measure finding attacks
high, it would seem equally if not, more important to rank false positives
high especially in Prevention mode.  Is there any reviewers that have
compared the false positives and false alarms of all the IDS/IPS products?
Has anyone here compared false positives of Introvert, Snort, Cisco,
RealSecure, etc?


I haven't seen any studies, but I can tell you from having used
Intrusion Inc's SecureNet Pro, snort and Cisco IDS, I'd be very
surprised to find a product with *no* false positives - especially those
that are purely signature based (almost none are anymore, but they all
use signatures.)

We are doing some limited IPS with snort, but the only rules we use it
on are detections of CodeRed on our network (and I just discovered some
false positives with that), and a custom rule I wrote to deliberately
block certain IPs that were persistently probing us.

I would be extremely hesitant to widely deploy IPS in a production
network.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member


-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
Previous By Date Next
Previous By Thread Next

Current thread: