IDS mailing list archives
"False postive" database idea
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Tue, 23 Sep 2003 12:51:56 -0400 (EDT)
All, I suspect most people monitoring lots of NIDS sensors start to have their own favorite "false positives". After I upped the number of snort sensors I run, I started seeing lots of nice ones :-) And that made me think of a following idea. Why can't a public database of "false positive" be created so that NIDS users everywhere can submit theirs and make life simple for everybody? Of course, that applies to NIDS with open sigs such as Snort and Dragon. Obviously, lots of FPs are specific to a certain brand of NIDS, but I think it will still be pretty useful (especially since other NIDS vendors are adopting Snort sig language...) For example, submission may take the form of 'Application X during auth phase always triggers snort alarm Y' or 'I keep seeing this in my environment; here is the packet dump, here is the alert X which gets triggered' I suspect implementing such an idea will optimize the NIDS rule development by a large margin and will help to fight off evil anti-NIDS FUD. Just to clarify, "false positive" here is a known benign triggering of a NIDS alert (NOT 'my Apache is hit by CodeRed' some people are confused about :-)). E.g. (just saw it :-)) fetchmail SSL auth under such and such conditions triggers snort 649 SHELLCODE sig. Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- "False postive" database idea Anton A. Chuvakin (Sep 23)
- <Possible follow-ups>
- RE: "False postive" database idea Chad I. Uretsky (Sep 24)
- Re: "False postive" database idea George Bakos (Sep 24)
- Re: "False postive" database idea Anton A. Chuvakin (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 26)
- RE: "False postive" database idea Jamie French (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 24)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 25)
- Re: "False postive" database idea Chris Reining (Sep 26)
- RE: "False postive" database idea Rob Shein (Sep 26)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 30)