Re: "False postive" database idea

["Anton A. Chuvakin" <anton () chuvakin org>]

George and all,

> A bugzilla approach might make more sense, so that the appropriate
> developers are afforded the opportunity to address any issues with their
Hmm, not sure. That kinda implies that "false positives" are "bugs" in
NIDSs, which (IMHO) they are not. Again IMHO, FPs are inherent to
signature-based ID and can be reduced (via many means), but not "turned
off" (I am assuming everybody saw this equation of FPs vs FNs).  The most
recent realization I had on that was when my Dragon NIDS produced a P#RN
signature as a result of somebody reading an Apache manual (just like the
signature doc said it might) :-) Obviously, NIDSs are still incrediblky
useful in spite of that!

I suspect that vendors might want to adjust signatures if there are
persistent reports about some particular sig being very FP-prone, but not
really based on every single report.

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------