IDS mailing list archives

Re: Current IDS problems

From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Sat, 22 Oct 2005 11:25:03 -0700 (PDT)

But false positives are induced in by the researchers
those have created low quality signatures to bring
false positives. 

The problem I see incase of false positives is
limitations in Language Constructs of IDS and Engine
support, to digest those signatures. Even if a
Vulnerability researcher is able to discover what
should be ideal signature to stop blah blah attack, he
requires language constructs in engine to provide him
the ability to write such signatures. But due to
severity of attack he/she really wants to get away by
writing the signature in any case. So this ends up in
low quality signature at times and hence promoting
false positives. I am not saying this happens most of
the tims, but sometimes researchers complain for this
thing. And providing such facilities for researchers
may be sometime require lot of changes in engine which
company can't afford to do or sometimes the
requirement is not even feasible.

So I should say that this problem is in architecture
implementation or researchers and not actually in IDS
technology as such. Which simply no company can avoid
as there is always a human working on that part.

But to overcome the problem of false positives. IDS
companies are providing Vulnerability Corelation
mechanism/Data-Mining Techniques in their products.

But this was all about insights and 0boy might be
concerned about the IDS implementation. So I would
like  to list down few of those points out here...

1. Ofcourse False positives, if the IDS is not
supporting the things I talked above.
2. log analysis of IDS to see the attack happening on
your network.
3. Handling of zero day attack for high severity
vulnerabilities. 
4. Frequency of signature updates to clients. It
should be like product companies are providing
signatures to clients, where attack came into picture
one month back.
5. Many of the IDS companies are still not much sure
that their product is 100% protecting against IDS
evasion technique, wherein an attack can be bypassed.
But don't worry every company will claim that "They
Do".
6. GUI of few products is not that user friendly. 
7. Redundancy of Hardware components of IDS, incase
its hardware product. Sometime back, I have evaluated
few IDS/IPS products to carry out some recomendation
project for some company. But I have not seen any
product that doesn't provide this capability. You may
see some product, coz there are lot of in market.
8. I even found good Support Service from all the
companies. When ever I required any help to understand
any of the feature from inside they always responded
quickly. And the guys giving the support were actually
smart enough to understand my words and giving me
satisfactory answers, so never had an experience of
hiting my head on wall ;-). But Service support is one
of the biggest parameter which can take you into big
time frustration.

To end-up the mail I feel the problems can be
categorized into Signatures(Both accuracy and response
time), Implementation(Both software and hardware) and
Service Support(both in terms of Response time and the
smartness of ppl).

I hope, I am able to explain the things and you are
not hiting your head on wall ;-)

-Dhruv

--- crazy frog crazy frog <i.m.crazy.frog () gmail com>
wrote:

false positives.allthough we need to fine tune it to
reduce this stuff.

On 10/19/05, zero <zeroboy () arrakis es> wrote:

Hi all,
   I would like to know what are the problems

people working with IDS sees in

   them. I mean, what are the things you hate

about IDS, think simply you feel

   are plain wrong or that they should be another

way to it.


   Al comments are greatly appreciated :)

   Thxs in advance.

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.

------------------------------------------------------------------------



--
ting ding ting ding ting ding
ting ding ting ding ding
i m crazy frog :)

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.

------------------------------------------------------------------------



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Current IDS problems zero (Oct 18)
- Re: Current IDS problems Mark Ryan del Moral Talabis (Oct 19)
- Re: Current IDS problems crazy frog crazy frog (Oct 21)
  - Re: Current IDS problems Dhruv Soi (Oct 24)
  - Re: Current IDS problems Terry Vernon (Oct 24)
  - Re: Current IDS problems Nakul Aggarwal (Oct 26)
    - RE: Current IDS problems Vipul Kumra (Oct 27)
- <Possible follow-ups>
- Re: Current IDS problems barcajax (Oct 19)
- RE: Current IDS problems Thompson, Jimi (Oct 26)