RE: Network hardware IPS

[Frank Knobbe <frank () knobbe us>]

On Fri, 2003-10-10 at 12:56, Dave Killion wrote:
> Knowing a particular HTTP attack detection signature, I can always invent a
> URL that I claim is valid, and then therefore will trigger a false positive.
> With that in mind, I have to go with best guess - the majority of the time,
> if I see cmd.exe in a URL, is it malicious?  Most likely, yes. 

But if doesn't have to be. That's why we shoudl strive to reduce false
positives. Perhaps a better signature (for started CMD.EXE? instead of
jsut CMD.EXE) or some sort of context within the request or even session
would be a better solution that to accept ... uhmm... collateral damage
by affecting some users with a weak sig.

> My whole point in this discussion has been the fact that for a given attack,
> it is possible to increase accuracy without reducing the detection rate
> through accuracy and context.  That's really all there is to it.

heh...(I guess I should read emails in toto before replying...)

I agree that context can increase accuracy, but in my opinion it should
be a tool to reduce the detection rate (assuming we're reducing false
positives). Perhaps you need to define which detection rate you mean.
Alerts/detection that the sensor picks up, or alerts/detection that are
passed on to the administrator.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part