IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: Michael Stone <mstone () mathom us>
Date: Thu, 23 Oct 2003 21:20:33 -0400
On Thu, Oct 23, 2003 at 12:03:13PM +0200, Konrad Rieck wrote:
If Snort or any IDS reports an alert with CVE number, and the corresponding probe (in your case a NASL script) doesn't detect avulnerability, can you ensure that there isn't one?
If snort doesn't detect anything can you be sure there isn't an intrusion? Why not just record everything? The volume of attacks a large site sees requires some kind of filtering; it might be nice to say that it's better to report 1000 false positives than to allow 1 attack to go undetected, but at some point there is no realistic chance of all thedata being examined.
Mike Stone --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register athttp://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4.
---------------------------------------------------------------------------
Current thread:
- Re: Announcement: Alert Verification for Snort, (continued)
- Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
- Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
- Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
- Re: Announcement: Alert Verification for Snort Raistlin (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
- Re: Announcement: Alert Verification for Snort Stephen P. Berry (Oct 24)
- Re: Announcement: Alert Verification for Snort Bill Royds (Oct 24)
- Re: Announcement: Alert Verification for Snort Konrad Rieck (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)
- RE: Announcement: Alert Verification for Snort Andrew Hall (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 24)
- RE: Announcement: Alert Verification for Snort PPowenski (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Richard Bejtlich (Oct 24)