False positives & the nwfusion article
From: Andrew Plato (aplato@anitian.com)Date: 06/28/02
- Previous message: Matt.Carpenter@alticor.com: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jun 2002 18:11:14 -0700 From: "Andrew Plato" <aplato@anitian.com> To: "Tom D'Aquino" <tom_daquino@yahoo.com>, <focus-ids@securityfocus.com>
That is a really good point Tom. I did not catch that little tidbit in the article.
I would agree that under review, those requirements seem a bit absurd. IDSs (espeically network based IDSs) are generally not a product that can confirm comprimise. An attempt to comprimise a system can be just as revealing as an actual compromise. In fact, I would bet that the overwhelming majority of IDS events reported that are *not* false positives are the result of a failed attempt at compromised. It sounds like the testers did not have a good understanding of an IDS's capabilities. Now, were they testing host-based IDS, we could apply different standards, since some HIDS have reactive capability to defend themselves. But still, these units will report attempted and failed intrusions.
Furthermore, as for grouping. I know for a fact that RealSecure Sentries can be grouped together in ICEcap. But they didn't test RS Sentry, but the older RS Network Sensor on Nokia.
I am glad you pointed this out. It makes that whole article seem rather meaningless now.
------------------------------------
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
(503) 644-5656 office
(503) 201-0821 cell
http://www.anitian.com
------------------------------------
> -----Original Message-----
> From: Tom D'Aquino [mailto:tom_daquino@yahoo.com]
> Sent: Thursday, June 27, 2002 6:01 PM
> To: Andrew Plato; focus-ids@securityfocus.com
> Subject: Re: Crying wolf: False alarms hide attacks : Eight
> IDSs fail to
> impress during the monthlong test on a production network.
>
>
> Hi all,
>
> Regarding this article, I found the following sections rather
> interesting:
>
> "We considered an attack to be any compromise of any
> computing resource on
> the "protected" network. That resource could be bandwidth,
> disk space, a
> printer, a password file - basically, anything for which access is not
> explicitly authorized. This is not the same as an attempted attack; if
> there was no compromise, then the IDS is essentially reporting on a
> vulnerability that doesn't exist. During the test, most of the ISPs
> generated so many false positives that it was difficult to
> spot reports of
> real attacks."
>
> Is this how the rest of the IDS community defines a false positive? I
> don't know of a single NIDS product capable of confirming
> whether or not
> the host was compromised. I think if an actual attack was thrown at a
> host, the IDS should report on it.
>
> "But Opus One's servers run OpenVMS, not Windows. Even though it is
> trivially easy to figure out what operating system a Web
> server uses, not
> one of the IDSs did so."
>
> Is nCircle the only company that has a device capable of this?
>
> "Second, most IDSs don't offer a means of grouping hosts or networks
> together under some easily remembered nickname. The exception is NFR,
> which let user-defined groups be set up using its N-code programming
> language."
>
> Isn't this what the "var" command is for in Snort's config file?
>
> Thanks for the input.
> Tom D'Aquino
>
>
- Previous message: Matt.Carpenter@alticor.com: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
