RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network.
From: Craig H. Rowland (crowland@psionic.com)Date: 06/28/02
- Previous message: tHe fuJi: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- In reply to: Tom D'Aquino: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Matt.Carpenter@alticor.com: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Milletary, Jason: "RE: Gateway IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Craig H. Rowland" <crowland@psionic.com> To: "Tom D'Aquino" <tom_daquino@yahoo.com>, <focus-ids@securityfocus.com> Date: Fri, 28 Jun 2002 10:14:02 -0500
> Regarding this article, I found the following sections rather interesting:
>
> "We considered an attack to be any compromise of any computing resource on
> the "protected" network. That resource could be bandwidth, disk space, a
> printer, a password file - basically, anything for which access is not
> explicitly authorized. This is not the same as an attempted attack; if
> there was no compromise, then the IDS is essentially reporting on a
> vulnerability that doesn't exist. During the test, most of the ISPs
> generated so many false positives that it was difficult to spot reports of
> real attacks."
>
> Is this how the rest of the IDS community defines a false positive? I
> don't know of a single NIDS product capable of confirming whether or not
> the host was compromised. I think if an actual attack was thrown at a
> host, the IDS should report on it.
This is a blatant product plug for Psionic, but we just released our product called ClearResponse that actually does go onto the host and see if the attack worked. The product emulates many of the steps a security investigator would take to see if the attack worked (mapping OS against vulnerability, checking for installed patches, checking for suspicious log entries, etc.). In the case of an IIS attack, for example, the product will verify the OS is vulnerable and even go as far as to search log files on the target for traces of a successful attack. If traces are found the log files and other relevant information are copied from the host and the alarm is escalated to alert the administrator. The whole process takes less than five seconds. Our customers have been reporting great success with some false alarm reduction rates exceeding 98% for Cisco and ISS sensors. You can read more about it here:
http://www.psionic.com/products/clearresponse.html
-- Craig
- Previous message: tHe fuJi: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- In reply to: Tom D'Aquino: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Matt.Carpenter@alticor.com: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Milletary, Jason: "RE: Gateway IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
