Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network.
From: Matt.Carpenter@alticor.comDate: 06/28/02
- Previous message: Frank Knobbe: "Re: re[2]: Gateway IDS"
- Maybe in reply to: Tom D'Aquino: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Drew: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impressduring the monthlong test on a production network."
- Next in thread: Milletary, Jason: "RE: Gateway IDS"
- Reply: Drew: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impressduring the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: tom_daquino@yahoo.com From: Matt.Carpenter@alticor.com Date: Fri, 28 Jun 2002 10:45:07 -0400
"Tom D'Aquino" <tom_daquino@yahoo.com>
>>"We considered an attack to be any compromise of any computing resource
on
>>the "protected" network. That resource could be bandwidth, disk space, a
>>printer, a password file - basically, anything for which access is not
>>explicitly authorized. This is not the same as an attempted attack; if
>>there was no compromise, then the IDS is essentially reporting on a
>>vulnerability that doesn't exist. During the test, most of the ISPs
>>generated so many false positives that it was difficult to spot reports
of
>>real attacks."
>Is this how the rest of the IDS community defines a false positive?
That sounds a little whacked. I don't necessarily take issue with the
definition of "Attack" so much as his description of "Attempted Attack". A
very important part of policing your network includes reporting those who
are looking for trouble, especially unaware admins whos boxen are
attempting to auto-replicate the latest NIMDA or Code Red descendants. If
alerting to this type of behavior is "essentially reporting on a
vulnerability that doesn't exist", I would not want him anywhere on my
security team. I didn't read the article, so I can't comment on his
knowledge overall, but this comment didn't inspire me to esteem his opinion
of value. I do understand that "false positives" are annoying and
troublesome, but he seems to include "bad stuff that didn't happen to work"
in that definition. Not good.
>>"But Opus One's servers run OpenVMS, not Windows. Even though it is
>>trivially easy to figure out what operating system a Web server uses, not
>>one of the IDSs did so."
Yes, this might be a nice thing for an IDS to do (check the OS and Software
when or before an attack), but that sounds an awful lot like "bad traffic"
to me. Somehow our IDS boxes doing the very things we don't want to see on
a network. Not to mention that in a split-responsibility environment, this
is a political nightmare. Some NT/IIS Admin suddenly has someone else he
can blame when s/he's asked to explain why they have to reboot their boxes
so often. No thanks. If that is of value, make sure it is something which
can be turned OFF, please.
- Previous message: Frank Knobbe: "Re: re[2]: Gateway IDS"
- Maybe in reply to: Tom D'Aquino: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Drew: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impressduring the monthlong test on a production network."
- Next in thread: Milletary, Jason: "RE: Gateway IDS"
- Reply: Drew: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impressduring the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
