RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network.
From: Graham, Robert (ISS Atlanta) (rgraham@iss.net)Date: 06/28/02
- Previous message: Graham, Robert (ISS Atlanta): "RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the month long test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Graham, Robert (ISS Atlanta)" <rgraham@iss.net> To: "Tom D'Aquino" <tom_daquino@yahoo.com>, Andrew Plato <aplato@anitian.com>, focus-ids@securityfocus.com Date: Fri, 28 Jun 2002 14:29:19 -0400
> From: Tom D'Aquino [mailto:tom_daquino@yahoo.com]
> Is this how the rest of the IDS community defines a false positive?
No.
The definition of a false-positive is "something you didn't want to see".
Different people want to see different things; everyone will define a
false-positive according to what they want to see. Different vendors use
different logic to trigger events; vendors will define false-positives in
terms of how their logic works.
Pretty much all the "definitions" of terms in the review come directly from
the various vendors. For any particular definition, you can often point out
which vendor that term likely came from. The definitions reflect the
marketing/positioning by those vendors rather than generic terms that would
broadly be accepted by the community.
