Re: need your help,thanks

[Jose Maria Lopez <jkerouac () bgsec com>]

El mié, 25 de 08 de 2004 a las 04:42, Charles Heselton escribió:
> On Sun, 22 Aug 2004 13:37:22 +0800, Lily <xiaoche111 () hotmail com> wrote:
> > hi,all
> >    I am a youngling in IDS.I read some papers in network this days and the more I read the little I 
> > understand.Because there are so many researching area in IDS and I dont know what I'll do.There are some questions 
> > below:
>
> Keep reading.  ;)
>
> >    1.If the false alarm rates have being resloved now?I think its a essential premise of the area of "response 
> > mechanism of IDS" that I want to research,do you think so?
>
> False alarms depend upon the accuracy of your signatures, and the
> peculiarity of your traffic.  If the traffic in your environment is
> out of RFC standard, but is considered "normal" for your environment,
> it could produce a lot of false positives, especially with an anomaly
> based IDS.  I think that this is something that IDS will always have
> to deal with.  You can never have *perfect* detection.

Snort used to have a patch that was an anormality detector that could
learn from the "normal" traffic in your site and make alerts when
"strange" traffic was detected, but I think it didn't work very well
because it seems that they have quitted the development.


-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"