IDS mailing list archives
RE: "False postive" database idea
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Wed, 24 Sep 2003 12:02:07 -0400 (EDT)
Chad and all,
What is to prevent someone from crafting a new attack, checking what it's signature looks like in a NIDS, then submitting that signature for insertion into the database? If the database were then updated with such a signature, those utilizing the database to identify "false positives" would identify the signature of such an attack as a false positive.
Well, a database (as envisioned) should require one more critical component to utilize effectively - a brain :-) Ideally, it should be strategically positioned in the head of some human :-), looking at the IDS alerts and the "FPdb" data. When I mentioned database, I did NOT imply any automated processing of kind 'NIDS sees an alert and does an online lookup to FPdb'. The usage pattern is more likely to be 'I know I run Application X here and snort keeps flagging its traffic as Y Attack. What is going on? How can I research it? The person then goes and looks for "common false positives with Application X" as repoted by the community. He sees that this traffic was often reported as a FP and that guidelines are provided to tune the signature to avoid that.' The above usage scenatio makes the abuse possibility very low. Overall, the FPdb will serve to HELP with research rather than to REPLACE it. Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- "False postive" database idea Anton A. Chuvakin (Sep 23)
- <Possible follow-ups>
- RE: "False postive" database idea Chad I. Uretsky (Sep 24)
- Re: "False postive" database idea George Bakos (Sep 24)
- Re: "False postive" database idea Anton A. Chuvakin (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 26)
- RE: "False postive" database idea Jamie French (Sep 26)
- Re: "False postive" database idea George Bakos (Sep 24)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 25)
- Re: "False postive" database idea Chris Reining (Sep 26)
- RE: "False postive" database idea Rob Shein (Sep 26)
- RE: "False postive" database idea Anton A. Chuvakin (Sep 30)