IDS mailing list archives
Re: RE: Tuning false positives - SIM is not the answer
From: rassel_k () hotmail com
Date: 29 Dec 2005 06:44:45 -0000
SIM systems are nice. They give great graphical views and good methods of drilling in to the info. However they are not able to do anything about cutting down the amount of false positives, tuning the IPS is still a must. SIM systems have nothing to do with the fact your IDS/IPS gets 300,000 alerts per day. Itll just sum it up nicely for you so you dont read them one at a time, however if some of them are for real attacks and others from misconfigured network devices youre bound to miss the real attacks. SIM will help you see trends, not find targeted attacks and if you want your IPS to work, you have to make a choice: lots of alarms catching lots of false positive (sometimes 80%-90% of alerts) or fewer alarms accepting you may be missing some of the more interesting attacks (either targeted or just stuff that gets to many false alarms in your specific environment). You should use a SIM, but dont expect it to solve the problem of configuring and analyzing your alarms, this problem is as old as detection systems. Just my $0.02 Rassel ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: RE: Tuning false positives - SIM is not the answer rassel_k (Dec 28)