IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: amount of alarms generated by IDS

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 6 May 2004 16:34:50 +1200
On Wed, May 05, 2004 at 06:27:02PM -0400, Anton A. Chuvakin wrote:

Gartner's IDS bonfire :-) I have some rough metrics from various
production network and various NIDS products (for default signatures), but
am very curious what others have. I'd also exclude some notorious
signatures (like, NOP on port 80) from analysis, and will only look at
"random" FPs vs the systematic ones (such as the above).


But you've already answered it. There's no way you can compare FP rates as
everyone immediately starts disabling rules on their "real" networks. 

e.g.

Snort has a set of rules that trigger whenever anyone attempts NETBIOS
administrative access. We run Snort over our WAN traffic - so guess what? It
triggered every 'n'th packet. So we turned them all off. There was no point.
Now, someone from the Internet doing that to our DMZ hosts would be a
different story - but seeing *any* NETBIOS traffic reaching our DMZ hosts
would be cause for alarm - let along admin!

What we have done is moved more into a "good", "informational" and "exclude"
ruleset. We exclude noisy rules, log "informational" (which contains all the
FPs if you want to put a label on it, along with all the DMZ attacks that
you want to know about but can't do anything to stop) and alert/send
pages/etc on the "good" alerts. 

I don't think "good" was the right choice there now... "Scream now" might
have been better ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: