RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network.

From: Graham, Robert (ISS Atlanta) (rgraham@iss.net)
Date: 06/28/02


From: "Graham, Robert (ISS Atlanta)" <rgraham@iss.net>
To: "Tom D'Aquino" <tom_daquino@yahoo.com>, Andrew Plato <aplato@anitian.com>, focus-ids@securityfocus.com
Date: Fri, 28 Jun 2002 14:29:19 -0400


> From: Tom D'Aquino [mailto:tom_daquino@yahoo.com]
> Is this how the rest of the IDS community defines a false positive?

No.

The definition of a false-positive is "something you didn't want to see".

Different people want to see different things; everyone will define a
false-positive according to what they want to see. Different vendors use
different logic to trigger events; vendors will define false-positives in
terms of how their logic works.

Pretty much all the "definitions" of terms in the review come directly from
the various vendors. For any particular definition, you can often point out
which vendor that term likely came from. The definitions reflect the
marketing/positioning by those vendors rather than generic terms that would
broadly be accepted by the community.