Snort mailing list archives
Re: How can I recognize Snort rules with high false positive rate?
From: "Keith W. McCammon" <keith-list () mccammon org>
Date: Thu, 17 Jun 2004 21:17:19 -0400
In my network, low false positive rate is very more important than low false negative rate.Ummm, I think you have it backwards. False positives suck, but they can be dealt with. False negatives mean that attacks are bypassing the sensor without detection. If you don't mind false negatives, you're wasting your time running an IDS.I disagree. Hear what you are saying: "False negatives mean that attacks are bypassing the sensor without detection". Are you impling that *ALL* IDS (or even *ANY* IDS) picks up *ALL* attacks - i.e. zero false negatives?
I'm not implying anything of the sort. I was implying just what I said: If given the choice between a FP and a FN, the FP is preferable. The OP stated that he wanted to get rid of FPs but didn't care about FNs, which is a very strange thing for an operator to say.
The goal of IDS tuning is to reduce FPs to an acceptable level, while trying to avoid setting up your system for FNs. This doesn't mean that I believe that there are never FNs--it just means that an operator should do everything possible to try and prevent them.
Taking the "I don't care about FNs" approach to tuning will usually result in the operator carelessly disabling features and attack classes in the name of getting rid of FPs, which will serve the immediate purpose, but will likely result in a lot of missed legitimate detects as well.
And when it all comes down to it, it's easy to dismiss FPs at the analyst's console. That's cheap compared to 50 FNs that were missed because some entire attack class was slashed in the name or FP reduction.
If you agree that there is no product that has zero false negatives, then it becomes an issue of having a solution where the level of false negatives is acceptable. i.e. if you have a Windows network, then having an IDS that can pick up trojan outbreaks - but can't see Intellectual Property theft (a false negative that is actually impossible to fix without extremely tighthuman-dependent processes in place) might be acceptable.
I agree. Finding acceptable levels of alerts on both sides of the fence *is* important. But to take measures to reduce FPs, with little or no regard for the amount of FNs caused, is not the ideal approach.
------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How can I recognize Snort rules with high false positive rate? Ali Zand (Jun 17)
- Re: How can I recognize Snort rules with high false positive rate? Keith W. McCammon (Jun 17)
- Re: How can I recognize Snort rules with high false positive rate? Jason Haar (Jun 17)
- Re: How can I recognize Snort rules with high false positive rate? Keith W. McCammon (Jun 17)
- Re: Re: How can I recognize Snort rules with high false positive rate? Ali Zand (Jun 18)
- Re: How can I recognize Snort rules with high false positive rate? Jason Haar (Jun 17)
- Re: How can I recognize Snort rules with high false positive rate? Keith W. McCammon (Jun 17)