Re: How can I recognize Snort rules with high false positive rate?

[Jason Haar <Jason.Haar () trimble co nz>]

On Thu, Jun 17, 2004 at 06:10:16PM -0400, Keith W. McCammon wrote:
> > In my network, low false positive rate is very more important than low
> > false negative rate.
>
> Ummm, I think you have it backwards.  False positives suck, but they can 
> be dealt with.  False negatives mean that attacks are bypassing the 
> sensor without detection.  If you don't mind false negatives, you're 
> wasting your time running an IDS.

I disagree. Hear what you are saying: "False negatives mean that attacks are
bypassing the sensor without detection". Are you impling that *ALL* IDS (or
even *ANY* IDS) picks up *ALL* attacks - i.e. zero false negatives?

If you agree that there is no product that has  zero false negatives, then
it becomes an issue of having a solution where the level of false negatives
is acceptable. i.e. if you have a Windows network, then having an IDS that
can pick up trojan outbreaks - but can't see Intellectual Property theft (a
false negative that is actually impossible to fix without extremely tight
human-dependent processes in place) might be acceptable. 


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users