IDS mailing list archives
RE: IPS false positives
From: "Basgen, Brian" <bbasgen () pima edu>
Date: Fri, 14 Apr 2006 09:43:19 -0700
Paul, Thanks for the feedback. I would like to better understand what seems like quite a contrast in your statements. At first, you define with seemingly broad strokes whole categories of signatures that an IPS won't/can't block by definition. Then you state that these whole categories that are not blocked make up less than 1% of the spectrum, and further that this number is in overall decline. How can those two positions be reconciled as you have done? You also refer to "very good numbers on this metric." I'm curious about the numbers on the metric you refer to. What are they? What does the metric look like? ============= My questions derive from the following portions of your mail. Below you list five categories of signatures that do not block by default on your IPS.
we prefer to recommend blocking for a signature after it has been in the field for a month or two.
ISS also has anomaly based signatures... these tend not to be candidates for default blocking
policy enforcement signatures... these are not candidates for a default blocking policy.
ISS provides a large number of audit signatures...generally blocking is a bad idea with these as they trigger on normal traffic by design.
In some cases, signatures are disabled by default (and therefore have no blocking) for performance reasons.
============== Drawing from this, you state the following conclusions:
You ask how many false negatives can get through a default IPS
configuration?
It is now easily less than 10% (probably less than 1%). So, our percentage blocked increases with each update.
~~~~~~~~~~~~~~~~~~ Brian Basgen IT Security Architect Pima Community College ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IPS false positives Basgen, Brian (Apr 18)