RE: "False postive" database idea

["Anton A. Chuvakin" <anton () chuvakin org>]

Chad and all,

> What is to prevent someone from crafting a new attack, checking what it's
> signature looks like in a NIDS, then submitting that signature for insertion
> into the database?  If the database were then updated with such a signature,
> those utilizing the database to identify "false positives" would identify
> the signature of such an attack as a false positive.
Well, a database (as envisioned) should require one more critical
component to utilize effectively - a brain :-) Ideally, it should be
strategically positioned in the head of some human :-), looking at the IDS
alerts and the "FPdb" data.

When I mentioned database, I did NOT imply any automated processing of
kind 'NIDS sees an alert and does an online lookup to FPdb'. The usage
pattern is more likely to be 'I know I run Application X here and snort
keeps flagging its traffic as Y Attack. What is going on? How can I
research it? The person then goes and looks for "common false positives
with Application X" as repoted by the community.  He sees that this
traffic was often reported as a FP and that guidelines are provided to
tune the signature to avoid that.'

The above usage scenatio makes the abuse possibility very low. Overall,
the FPdb will serve to HELP with research rather than to REPLACE it.

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------