IDS mailing list archives

Re: Tuning false positives

From: Pukhraj Singh <pukhraj.singh () gmail com>
Date: Wed, 28 Dec 2005 11:37:01 +0530

I agree with you on this point. Most products are prone to false
positives in the production environment, when run in their default
mode.  This highlights the lack of good QA testing methodology for the
product. Most vendors rub their hands off after making signatures and
protocols parsers. One thing they don't realize that QA is an equally
important process because companies can't afford to drop (mission
critical) sessions due to a false positives. I am afraid there's
nothing much you can do except grill the vendors. The vendors, on the
other hand should run their products against extensive amounts of
normal and malicious traffic and if it is possible even test them in
production environments with cooperation of the client.

Thanks
Pukhraj

On 12/25/05, Sam Heshbon <sheshbon () yahoo com> wrote:

My company is testing a few intrusion detection & prevention products. On the first few hours/days
after deployment the machines alert on ten of thousands of events, which is way too much for us to
ever go through, most of which are false alarms.

The vendor's solution is tuning the systems, which means shutting down signatures, detection
mechanisms, omitting defragmentation tests and so on. These tunings do reduce dramatically the
number of alerts, but it seems most of the detection capabilities have been shut off too, so
things are
nice and quite but we've no idea what's really going on in our network apart from catching the
trivial threats such as old worms, which don't get false alarms.
Has anyone encountered this situation? Anyone got a solution?

Thanks

Sam



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

Tuning false positives Sam Heshbon (Dec 27)
- Re: Tuning false positives ismail syed (Dec 27)
- RE: Tuning false positives Omar Herrera (Dec 27)
- Re: Tuning false positives Pukhraj Singh (Dec 27)
- Re: Tuning false positives David W. Goodrum (Dec 28)
- <Possible follow-ups>
- RE: Tuning false positives Gary Halleen (ghalleen) (Dec 27)
- RE: Tuning false positives Hazel, Scott A. (Dec 28)
- RE: Tuning false positives Balázs Imre (Dec 28)
- RE: Tuning false positives Gary Halleen (ghalleen) (Dec 28)