IDS mailing list archives
Re: amount of alarms generated by IDS
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 6 May 2004 16:34:50 +1200
On Wed, May 05, 2004 at 06:27:02PM -0400, Anton A. Chuvakin wrote:
Gartner's IDS bonfire :-) I have some rough metrics from various production network and various NIDS products (for default signatures), but am very curious what others have. I'd also exclude some notorious signatures (like, NOP on port 80) from analysis, and will only look at "random" FPs vs the systematic ones (such as the above).
But you've already answered it. There's no way you can compare FP rates as everyone immediately starts disabling rules on their "real" networks. e.g. Snort has a set of rules that trigger whenever anyone attempts NETBIOS administrative access. We run Snort over our WAN traffic - so guess what? It triggered every 'n'th packet. So we turned them all off. There was no point. Now, someone from the Internet doing that to our DMZ hosts would be a different story - but seeing *any* NETBIOS traffic reaching our DMZ hosts would be cause for alarm - let along admin! What we have done is moved more into a "good", "informational" and "exclude" ruleset. We exclude noisy rules, log "informational" (which contains all the FPs if you want to put a label on it, along with all the DMZ attacks that you want to know about but can't do anything to stop) and alert/send pages/etc on the "good" alerts. I don't think "good" was the right choice there now... "Scream now" might have been better ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: amount of alarms generated by IDS Alberto Gonzalez (May 03)
- <Possible follow-ups>
- Re: amount of alarms generated by IDS Anton A. Chuvakin (May 05)
- Re: amount of alarms generated by IDS Jason Haar (May 06)
- RE: amount of alarms generated by IDS Shawn (May 06)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- Re: amount of alarms generated by IDS Jason (May 11)
- Re: amount of alarms generated by IDS Dennis Cox (May 11)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)