IDS mailing list archives
Re: Snort with an expert system
From: Tomas Olsson <tol () sics se>
Date: Thu, 25 Jun 2009 16:04:27 +0200
Stefano Zanero wrote:
OK, I think I've got your point. The "misconfiguration" of snort was that we did not tune the signature rules. We used the default rules.Is it a false positive a case where there is no rule, or the traffic does not match with the rule, and the engine still fires?This does not fit with the above definition since the alert must be triggered by the traffic.You would be surprised in knowing that this is the only case where you're pretty sure it IS a false positive that you are looking at (a false positive of the engine itself, whereas the other examples are noncontextual alerts caused by careless configuration by the user)Yes, if there was no attack or intrusion triggering the alert. But, why would the user not want to be alerted if it is a real intrusion?Because maybe it is a rule firing for a real attack on a vulnerability that is not present. By the way: is this a false positive or not? :-) Do you see why I say that "false positive" is a dangerous beast to define?With respect to using the alerts as input to our algorithm, no of these objections are important. We just use the type of alerts as sensor data that we want to analyze to see when the frequencies of each type of alert diverge from what previously has been observed.And what does that imply ? Do you filter out what diverges, or do you filter out what does not diverge? How "diverging statistically" with the specific algorithm which you chose actually have any relationship with an alert being a false positive or not?Well, there is nothing that says that there must be any differencebetween a false and a true alert.That's the point, exactly.However, assume that there are legitimate traffic that triggers false alerts on a regular basis.Here you are: you are detecting misconfigurations and noncontextuals, not false positives ;-) As I said, it's a matter of definition. And "artificial ignorance" (as dubbed by Marcus Ranum) works using the principle you stated, but with a much simpler apparatus. If this is all you're looking for, then probably the algorithm you are using is an overkill. (and, in IDEVAL, there's probably no such traffic, unless you severely misconfigure Snort) Best, Stefano
Maybe, I just have been thinking of this wrongly? If we instead see the IDS as a sensor that triggers alerts on interesting "events"/patterns in the traffic that we think is interesting. Thereafter, we can monitor the alerts and signal when ever something "unusual" happens using our algorithm. The we do not filter false positives, but we have created another type of IDS based on anomaly detection in combination with rules, if we assume that the signal correlates to intrusions.
/Tomas ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Re: Re: Snort with an expert system tol (Jun 23)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Joel Esler (Jun 25)
- Re: Snort with an expert system Greg Shipley (Jun 25)
- Re: Snort with an expert system Martin Roesch (Jun 25)
- Re: Snort with an expert system Gary Halleen (Jun 26)
- Re: Snort with an expert system Stefano Zanero (Jun 26)
- Re: Snort with an expert system mhellman (Jun 26)
- Re: Snort with an expert system Martin Roesch (Jun 29)
- Re: Snort with an expert system Tomas Olsson (Jun 30)
- Re: Snort with an expert system Stefano Zanero (Jun 30)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Richard Bejtlich (Jun 25)