Re: Announcement: Alert Verification for Snort

[Martin Roesch <roesch () sourcefire com>]

On Oct 23, 2003, at 7:03 PM, Christopher Kruegel wrote:

> > > In case 2 the "nontextual" isn't a false positive but I think that 
> > > most people are calling it an FP these days.  I *personally* think 
> > > that's a misconception.  What we have in that case is a *real 
> > > attack* that your IDS is detecting exactly as it was asked to.  Just 
> > > because it doesn't have the additional information about the context 
> > > or relevance of the event isn't a problem with the IDS, it's a side 
> > > effect of the way that NIDS have been built for the past 10 years.
> >
> > In the not too distant past I would have agreed with this - but I 
> > think as IDS implementations grew, the way people describe FPs has 
> > changed.  I think today's IDS *needs* to know "the additional 
> > information about the context and relevance" - because the event you 
> > are referring to is what I'll call an "effective FP".  Effective 
> > because any time I spend trying to track down an IIS attack on an 
> > apache box is wasted effort.  I completely understand your point 
> > Marty, because an attack did occur, and the IDS did log it.  However, 
> > if it is going to log it, then I want it to tell me that the severity 
> > of the attack is lessened because it didn't succeed.  Even better, I 
> > want to see the 404 or 403 error, so I can show my boss why I didn't 
> > even bother to look into it.
>
> From a theoretical point of view, I think that Marty is right and his 
> classification is correct. In fact, we had a discussion about whether 
> 'alert verification' was the correct term to use. We then concluded 
> that most people don't care why they spent time looking at an alert 
> that doesn't matter to them and that they refer to such alerts in 
> general as false positives. That's why we used the terminology that we 
> did.

I think alert verification is a fine term, I just want people to 
understand the distinction between false positives and nontextuals.  We 
can do something about both of those cases but they require different 
solutions to address.  I don't want to confuse the issue if I come out 
with separate solutions that both address "false positives", people 
will ask why I couldn't get it right the first time. :)

    -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------