IDS mailing list archives
RE: amount of alarms generated by IDS
From: Ravishankar Ithal <ravi_ithal () yahoo com>
Date: Fri, 7 May 2004 00:21:16 -0700 (PDT)
Along the same lines, any first hand experiences on how snort-inline or any other inline IDS/IPS solutions are faring in small/medium enterprise production environments? The right-out-of-the-box configs for an inline device are expected to generate much fewer FPs since admins don't have all the time in the world to tune the rules unlike on a promiscuous mode device. -Ravishankar Ithal --- Shawn <wjveno () shaw ca> wrote:
I believe that all IDS have a very large FP rate right out of the box. The lower FP rate is usually do to experienced analysts and proper correlation of events. When I hear about a low FP rate, I generally think that it has to do with a well trained staff that have direct input into the engineering of their IDS equipment. Because there is no "magic product" that will "do it all", most in the IDS world have to rely on different technologies, software and hardware properly pieced together and correlated. An other factor could be your organization's focus. Once you stop worrying about Joe Blow scripter scanning the outside of your network, automatically log him has a future correlation event, and notice some of the more stealthy "big picture" stuff that's going on your network, your worries and interests shift dramatically. Different networks will have different purposes and usages and therefore separate/different rule sets and/or IDS equipment. If there is more than one network, the networks were probably separated with good reasons! If network A has a web server and a file server while network B has a mail server and a file server, the same configured IDS rules will have different FP (False Positives) from each network as well as some that are similar. I believe that the reason IDS alarm information is not widely available is partly due to the shear volume of data, and the usage of different equipment, with some having no "stats" ability. As well as most company's have a hard time allocating man hours for IDS because they can not see the initial ROI, might see the stats as belonging to the "company" and would discourage staff from using man hours for someone else's data. Also some forms of data I've seen give a lot of information that is better kept private. For example: Just given a set of FP on one port, that the IDS is mistaken for a certain exploit, but I know that that port or lack of port is used by an older, insecure system (ex: banyan vines) and how to exploit that system and get "inside" the internal network. I know I did not answer your question directly, but I hope this will give you some factors to ponder in your quest for the elusive IDS FP/STATS. Wil Veno Network IDS Engineer wjveno () shaw ca -----Original Message----- From: Anton A. Chuvakin [mailto:anton () chuvakin org] Sent: Wednesday, May 05, 2004 4:27 PM To: focus-ids () securityfocus com Subject: Re: amount of alarms generated by IDSHow many alarms will an IDS generate per day? How many percents ofthemare false positive? I know it depends on products, the monitornetworkand other factors, such as date, time etc.It obviosuly does, but I am wondering how stable the FP ratio ('false positive') will be across different networks. I suspect that everybody sits on their own numbers and thinks 'oh, its different for every network'. But is it really so? Maybe the reason that such information is not widely available is that few people actually analyze their IDS events with the required depth..? If so, it would add some rocket fuel to Gartner's IDS bonfire :-) I have some rough metrics from various production network and various NIDS products (for default signatures), but am very curious what others have. I'd also exclude some notorious signatures (like, NOP on port 80) from analysis, and will only look at "random" FPs vs the systematic ones (such as the above). Discussion anybody? Best, -- Anton A. Chuvakin, Ph.D., GCIA, GCIH http://www.info-secure.org http://www.securitywarrior.com ---------------------------------------------------------------------- ----- ---------------------------------------------------------------------- ----- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
__________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: amount of alarms generated by IDS Alberto Gonzalez (May 03)
- <Possible follow-ups>
- Re: amount of alarms generated by IDS Anton A. Chuvakin (May 05)
- Re: amount of alarms generated by IDS Jason Haar (May 06)
- RE: amount of alarms generated by IDS Shawn (May 06)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- Re: amount of alarms generated by IDS Jason (May 11)
- Re: amount of alarms generated by IDS Dennis Cox (May 11)
- Re: amount of alarms generated by IDS Jason (May 13)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Frank Knobbe (May 11)