IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IPS false positives

From: "Basgen, Brian" <bbasgen () pima edu>
Date: Fri, 14 Apr 2006 09:43:19 -0700
Paul,

 Thanks for the feedback. 

 I would like to better understand what seems like quite a contrast in
your statements. At first, you define with seemingly broad strokes whole
categories of signatures that an IPS won't/can't block by definition.
Then you state that these whole categories that are not blocked make up
less than 1% of the spectrum, and further that this number is in overall
decline. How can those two positions be reconciled as you have done?

 You also refer to "very good numbers on this metric." I'm curious about
the numbers on the metric you refer to. What are they? What does the
metric look like? 

=============

 My questions derive from the following portions of your mail. Below you
list five categories of signatures that do not block by default on your
IPS.


we prefer to recommend blocking for a signature after it 
has been in the field for a month or two. 



ISS also has anomaly based signatures... these tend 
not to be candidates for default blocking



policy enforcement signatures... these are not 
candidates for a default blocking policy.



ISS provides a large number of audit signatures...generally blocking
is a bad idea with these as they trigger on normal traffic by design.



In some cases, signatures are disabled by default (and therefore have
no blocking) for performance reasons. 


==============

 Drawing from this, you state the following conclusions:


You ask how many false negatives can get through a default IPS

configuration? 

It is now easily less than 10% (probably less than 1%).
So, our percentage blocked increases with each update. 


~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: