IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: amount of alarms generated by IDS

From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Wed, 5 May 2004 18:27:02 -0400 (EDT)
How many alarms will an IDS generate per day? How many percents of them
are false positive? I know it depends on products, the monitor network
and other factors, such as date, time etc.

It obviosuly does, but I am wondering how stable the FP ratio ('false
positive') will be across different networks. I suspect that everybody
sits on their own numbers and thinks 'oh, its different for every
network'. But is it really so? Maybe the reason that such information is
not widely available is that few people actually analyze their IDS events
with the required depth..? If so, it would add some rocket fuel to
Gartner's IDS bonfire :-) I have some rough metrics from various
production network and various NIDS products (for default signatures), but
am very curious what others have. I'd also exclude some notorious
signatures (like, NOP on port 80) from analysis, and will only look at
"random" FPs vs the systematic ones (such as the above).

Discussion anybody?

Best,
-- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH
     http://www.info-secure.org
   http://www.securitywarrior.com


---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: