IDS mailing list archives

RE: amount of alarms generated by IDS

From: "Harper, Patrick" <patrick.harper () phns com>
Date: Thu, 6 May 2004 07:47:16 -0500

I think it depends on tuning and IDS philosophy.  Do you monitor inside
or outside you firewall, or both?  Do you monitor your internal network?
Do you run with all the rules, default set, or do you tailor your
ruleset for the devices and servers on your network?



-----Original Message-----
From: Anton A. Chuvakin [mailto:anton () chuvakin org] 
Sent: Wednesday, May 05, 2004 4:27 PM
To: focus-ids () securityfocus com
Subject: Re: amount of alarms generated by IDS

How many alarms will an IDS generate per day? How many percents of them

are false positive? I know it depends on products, the monitor network 
and other factors, such as date, time etc.

It obviosuly does, but I am wondering how stable the FP ratio ('false
positive') will be across different networks. I suspect that everybody
sits on their own numbers and thinks 'oh, its different for every
network'. But is it really so? Maybe the reason that such information is
not widely available is that few people actually analyze their IDS
events with the required depth..? If so, it would add some rocket fuel
to Gartner's IDS bonfire :-) I have some rough metrics from various
production network and various NIDS products (for default signatures),
but am very curious what others have. I'd also exclude some notorious
signatures (like, NOP on port 80) from analysis, and will only look at
"random" FPs vs the systematic ones (such as the above).

Discussion anybody?

Best,
--
Anton A. Chuvakin, Ph.D., GCIA, GCIH
http://www.info-secure.org
http://www.securitywarrior.com

------------------------------------------------------------------------
---

Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have
received this message in error, please delete it and notify the sender immediately.

---------------------------------------------------------------------------

Current thread:

Re: amount of alarms generated by IDS Alberto Gonzalez (May 03)
- <Possible follow-ups>
- Re: amount of alarms generated by IDS Anton A. Chuvakin (May 05)
  - Re: amount of alarms generated by IDS Jason Haar (May 06)
  - RE: amount of alarms generated by IDS Shawn (May 06)
    - RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
  - Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
    - RE: amount of alarms generated by IDS Rob Shein (May 11)
    - RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
    - RE: amount of alarms generated by IDS Rob Shein (May 11)
    - Re: amount of alarms generated by IDS Jason (May 11)
    - Re: amount of alarms generated by IDS Dennis Cox (May 11)
    - Re: amount of alarms generated by IDS Jason (May 13)
    - RE: amount of alarms generated by IDS Frank Knobbe (May 11)
    - Hi, I want to study IPS cto (May 11)

(Thread continues...)