Re: "False postive" database idea

[George Bakos <gbakos () ists dartmouth edu>]

On Thu, 25 Sep 2003 17:22:08 -0400 (EDT)
"Anton A. Chuvakin" <anton () chuvakin org> wrote:

> George and all,
>
> > A bugzilla approach might make more sense, so that the appropriate
> > developers are afforded the opportunity to address any issues with their

> Hmm, not sure. That kinda implies that "false positives" are "bugs" in
> NIDSs, which (IMHO) they are not. 

I agree completely. Bugzilla submissions need not imply a flaw, merely a
condition that is being brought to the attention of the
community/developers. Should there be a number of submissions pertaining
to rule XYZ, that knowledge may help an analyst in their triage of the
dozens of daily "high-priority" reports.

Again IMHO, FPs are inherent to
> signature-based ID and can be reduced (via many means), but not "turned
> off" (I am assuming everybody saw this equation of FPs vs FNs).  The most
> recent realization I had on that was when my Dragon NIDS produced a P#RN
> signature as a result of somebody reading an Apache manual (just like the
> signature doc said it might) :-) Obviously, NIDSs are still incrediblky
> useful in spite of that!
>
> I suspect that vendors might want to adjust signatures if there are
> persistent reports about some particular sig being very FP-prone, but not
> really based on every single report.

Not necessarily vendors, but users. One of the primary benefits of
open-source rule definitions is the ability to tune any NIDS rule to a
greater extent than just ON, OFF, or report threshold X. The challenge of
deciding, initially and over time, which of the thousands of available
rules to tune can be a daunting one for many, and can be made considerably
simpler through such a database. Unfortunately, I have been at too many
sites where default rulessets are turned on and left alone, resulting in
mountains of impertinent logs. Statistical analysis methods and enterprise
management consoles help, but simple site/organization-specific rule
tuning yields huge payoffs.

Cheers!

> Best,
> -- 
>   Anton A. Chuvakin, Ph.D., GCI*
>      http://www.chuvakin.org
>    http://www.info-secure.org


-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------