"False postive" database idea

["Anton A. Chuvakin" <anton () chuvakin org>]

All,

I suspect most people monitoring lots of NIDS sensors start to have their
own favorite "false positives". After I upped the number of snort sensors
I run, I started seeing lots of nice ones :-) And that made me think of a
following idea.

Why can't a public database of "false positive" be created so that NIDS
users everywhere can submit theirs and make life simple for everybody? Of
course, that applies to NIDS with open sigs such as Snort and Dragon.
Obviously, lots of FPs are specific to a certain brand of NIDS, but I
think it will still be pretty useful (especially since other NIDS vendors
are adopting Snort sig language...)

For example, submission may take the form of 'Application X during auth
phase always triggers snort alarm Y' or 'I keep seeing this in my
environment; here is the packet dump, here is the alert X which gets
triggered'

I suspect implementing such an idea will optimize the NIDS rule
development by a large margin and will help to fight off evil anti-NIDS
FUD.

Just to clarify, "false positive" here is a known benign triggering of a
NIDS alert (NOT 'my Apache is hit by CodeRed' some people are confused
about :-)). E.g. (just saw it :-)) fetchmail SSL auth under such and such
conditions triggers snort 649 SHELLCODE sig.

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org



---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------