Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network.
From: Tom D'Aquino (tom_daquino@yahoo.com)Date: 06/28/02
- Previous message: Trey A Mujakporue: "FW: NFR Response: Concerns with NFR"
- In reply to: Andrew Plato: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: zippy pinhead: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Milletary, Jason: "RE: Gateway IDS"
- Reply: zippy pinhead: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Reply: tHe fuJi: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Reply: Craig H. Rowland: "RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Reply: Matt.Carpenter@alticor.com: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jun 2002 18:01:22 -0700 (PDT) From: Tom D'Aquino <tom_daquino@yahoo.com> To: Andrew Plato <aplato@anitian.com>, focus-ids@securityfocus.com
Hi all,
Regarding this article, I found the following sections rather interesting:
"We considered an attack to be any compromise of any computing resource on
the "protected" network. That resource could be bandwidth, disk space, a
printer, a password file - basically, anything for which access is not
explicitly authorized. This is not the same as an attempted attack; if
there was no compromise, then the IDS is essentially reporting on a
vulnerability that doesn't exist. During the test, most of the ISPs
generated so many false positives that it was difficult to spot reports of
real attacks."
Is this how the rest of the IDS community defines a false positive? I
don't know of a single NIDS product capable of confirming whether or not
the host was compromised. I think if an actual attack was thrown at a
host, the IDS should report on it.
"But Opus One's servers run OpenVMS, not Windows. Even though it is
trivially easy to figure out what operating system a Web server uses, not
one of the IDSs did so."
Is nCircle the only company that has a device capable of this?
"Second, most IDSs don't offer a means of grouping hosts or networks
together under some easily remembered nickname. The exception is NFR,
which let user-defined groups be set up using its N-code programming
language."
Isn't this what the "var" command is for in Snort's config file?
Thanks for the input.
Tom D'Aquino
--- Andrew Plato <aplato@anitian.com> wrote:
> In-Reply-To: <000201c21bdd$5843dcc0$4c01a8c0@MINE>
>
>
> >Network World Fusion News has a comparison of 8 IDS's. This is an
> >interesting read.
> >
> >http://www.nwfusion.com/techinsider/2002/0624security1.html
>
> Great report.
>
> Next time they should do RealSecure on one of my Win2k appliances. I
> have
> RealSecure Sentry and Guard Appliances out at customer sites on Win2k
> that
> have been running error free for months. (sorry for the shameless plug)
>
> This also illustrates a dark side of IDSs that virtually no vendor will
> bother to tell you. IDSs require a lot of tuning and tweaking before
> they
> can become an integral part of your network. And there is always a
> certain
> percentage of events that are false positives. The only way to get a
> feel
> for this is to deploy and baseline those systems. Something they rarely
> bother to mention in the documentation you get.
>
> ------------------------------------
> Andrew Plato, CISSP
> President / Principal Consultant
> Anitian Corporation
> http://www.anitian.com
> ------------------------------------
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
- Previous message: Trey A Mujakporue: "FW: NFR Response: Concerns with NFR"
- In reply to: Andrew Plato: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: zippy pinhead: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Milletary, Jason: "RE: Gateway IDS"
- Reply: zippy pinhead: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Reply: tHe fuJi: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Reply: Craig H. Rowland: "RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Reply: Matt.Carpenter@alticor.com: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
