Re: Snort with an expert system

[Gary Halleen <ghalleen () cisco com>]

I don't disagree with you.  In fact, in an earlier message I said that for
operations people (security or network), all noise is a false positive, even
if, technically, it is not really.

Gary



On 6/26/09 12:30 PM, "Stuart Staniford" <sstaniford () FireEye com> wrote:

> On Jun 25, 2009, at 5:18 PM, Gary Halleen wrote:
>
> > On 6/25/09 3:26 AM, "Stefano Zanero" <s.zanero () securenetwork it>
> > wrote:
> >
> > > > "A false positive is an alert that triggers on normal traffic
> > > > where no
> > > > intrusion or attack is underway"
> > >
> > > That's a good definition, but not really complete. Under that
> > > definition, if you place a rule that flags IRC connections, and it
> > > fires, is that a false positive?
> >
> > GH:  No.  If a rule or signature fires on traffic you asked it to
> > fire on,
> > then it is not a false positive, regardless of whether or not it is an
> > attack or intrusion.
>
> To echo what Greg said - from a customer perspective, it's all the
> same.  Customers generally buy both an engine and a set of rules as a
> single package, and if the combination is reporting things that aren't
> actual attacks, then it's making them unhappy.  Few customers are
> writing their own rules.
>
> Distinguishing between whether the problem is in the engine or the
> rule is useful internally at the vendor to decide what needs to get
> fixed, but customers are not likely to care that much.
>
> The way our (FireEye's) technology reduces false positives is to
> replay the traffic in an instrumented virtual machine, to see if it
> really is an attack or not.  We have a lot fewer false positives than
> traditional IDS products (we don't ship a release with any that are
> known to us, though a few still pop up in the field unfortunately -
> you can never test against everything that will show up on a
> customer's network)
>
> Stuart Staniford.
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their
> application. By making use of an SSL certificate on your web server, you can
> securely collect sensitive information online, and increase business by giving
> your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194



The Hacker only has to be right once...

Stay Secure!

Gary Halleen, CISSP-ISSAP, CHP
Author, Security Monitoring with CS-MARS, ISBN: 1587052709



-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194