Penetration Testing mailing list archives
Re: After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative.
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Mon, 18 Aug 2008 22:17:49 +0100
2008/8/18 Ahmad, Md. Mustaque <md-mustaque.ahmad () hp com>:
Hi All, After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative.
Look at all the logs you have - packet dumps, logs from network proxies, DNS servers, and of course the targeted machine. In particular, a buffer overflow alert won't tell you on its own whether it was a successful exploit - you'll have to look for post compromise activity such as port-scanning or similar from the (potentially) compromised machine.
And What we do with True Positive alerts. How we export alerts from database (Steps).
Depends on the IDS - most interfaces will have options to export or email groups of alerts. cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative. Ahmad, Md. Mustaque (Aug 18)
- Re: After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative. Todd Haverkos (Aug 18)
- Re: After getting the alerts generated by IDS how we distinguish true positive.false positive and false negative. Jamie Riden (Aug 18)