Penetration Testing mailing list archives

Re: After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative.

From: "Jamie Riden" <jamie.riden () gmail com>
Date: Mon, 18 Aug 2008 22:17:49 +0100

2008/8/18 Ahmad, Md. Mustaque <md-mustaque.ahmad () hp com>:

Hi All,

After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative.


Look at all the logs you have - packet dumps, logs from network
proxies, DNS servers, and of course the targeted machine.

In particular, a buffer overflow alert won't tell you on its own
whether it was a successful exploit - you'll have to look for post
compromise activity such as port-scanning or similar from the
(potentially) compromised machine.

And What we do with True Positive alerts. How we export alerts from database (Steps).


Depends on the IDS - most interfaces will have options to export or
email groups of alerts.

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative. Ahmad, Md. Mustaque (Aug 18)
- Re: After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative. Todd Haverkos (Aug 18)
- Re: After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative. Jamie Riden (Aug 18)