Re: Snort with an expert system

[Tomas Olsson <tol () sics se>]

Stefano Zanero wrote:
> > > Is it a false positive a case where there is no rule, or the traffic
> > > does not match with the rule, and the engine still fires?
> > >       
>
>   
> > This does not fit with the above definition since the alert must be
> > triggered by the traffic.
> >     
>
> You would be surprised in knowing that this is the only case where
> you're pretty sure it IS a false positive that you are looking at (a
> false positive of the engine itself, whereas the other examples are
> noncontextual alerts caused by careless configuration by the user)
>
>   
> > Yes, if there was no attack or intrusion triggering the alert. But, why
> > would the user not want to be alerted if it is a real intrusion?
> >     
>
> Because maybe it is a rule firing for a real attack on a vulnerability
> that is not present. By the way: is this a false positive or not? :-)
>
> Do you see why I say that "false positive" is a dangerous beast to define?
>
>   
> > With respect to using the alerts as input to our algorithm, no of these
> > objections are important. We just use the type of alerts as sensor data
> > that we want to analyze to see when the frequencies of each type of
> > alert diverge from what previously has been observed.
> >     
>
> And what does that imply ? Do you filter out what diverges, or do you
> filter out what does not diverge? How "diverging statistically" with the
> specific algorithm which you chose actually have any relationship with
> an alert being a false positive or not?
>
>   
> > Well, there is nothing that says that there must be any difference
> > between a false and a true alert. 
> >     
>
> That's the point, exactly.
>
>   
> > However, assume that there are
> > legitimate traffic that  triggers false alerts on a regular basis.
> >     
>
> Here you are: you are detecting misconfigurations and noncontextuals,
> not false positives ;-)
>
> As I said, it's a matter of definition.
>
> And "artificial ignorance" (as dubbed by Marcus Ranum) works using the
> principle you stated, but with a much simpler apparatus. If this is all
> you're looking for, then probably the algorithm you are using is an
> overkill.
>
> (and, in IDEVAL, there's probably no such traffic, unless you severely
> misconfigure Snort)
>
> Best,
> Stefano
>   
OK, I think I've got your point. The "misconfiguration" of snort was 
that we did not tune the signature rules. We used the default rules.

Maybe, I just have been thinking of this wrongly? If we instead see the 
IDS as a sensor that triggers alerts on interesting "events"/patterns in 
the traffic that we think is interesting. Thereafter, we can monitor the 
alerts and signal when ever something "unusual" happens using our 
algorithm. The we do not filter false positives, but we have created 
another type of IDS based on anomaly detection in combination with 
rules, if we assume that the signal correlates to intrusions.
/Tomas



-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194