RE: "false positive" inanity

From: Lance Spitzner (lance@honeynet.org)
Date: 07/07/02 

Date: Sun, 7 Jul 2002 09:54:47 -0500 (CDT)
From: Lance Spitzner <lance@honeynet.org>
To: "Tom D'Aquino" <tom_daquino@yahoo.com>

On Fri, 5 Jul 2002, Tom D'Aquino wrote:

> I am in total agreement with the first few statements. But nobody hear is
> saying that the IDS market is perfect. All of the technologies I have
> experience with have the ability to do most of the things you are asking
> for. User friendly or otherwise intuitive configuration is a different
> story. The technologies are improving everyday and will continue to do so
> for years to come (hopefully).

One of the reasons I'm such a big fan of honeypot technologies. Not only
do they dramatically reduce false positives, but they catch the unknown
attacks, reducing false negatives :)

lance
http://www.tracking-hackers.com

>
> But the fact remains that not even an IP 360 from nCircle is going to
> replace the need for human interaction to perform an in-depth analysis of
> what is happening on the wire (or in the air for that matter). There
> simply is not a network based system that can determine for certain
> whether or not an attack has lead to a successful compromise on a
> consistent basis. This is asking too much of a single device (IMO). I
> believe that the best solution is acquired through a defense in depth
> approach. Your valued assets should be protected with (among other
> things) a firewall, a NIDS and where necessary HIDS. With these three
> tools, a qualified security engineer should be able to evaluate attempted
> attacks and determine whether or not a compromise has taken place with a
> successful degree of accuracy.
>
> Once again, just my opinion.
> Thanks,
> Tom
>

> > Dropping information is not what I want to see. What I want
> > to see is:
> >
> > -- ability to tune it's priority (something some vendors
> > seem to be clueless about, unless you count the torture
> > they call management consoles.)
> > -- ability to retrieve data at some later time ("dump the
> > whole database every 10 hours or the system will crash"
> > doesn't seem conducive to this...)
> > -- ability to CHOOSE if such things are high priority.
> > -- ability to CHOOSE if such things are some other priority
> > (so for example I would prefer to
> > drop some of these things from 'high' to 'medium' priority,
> > then as a matter of monitoring policy I'd of course not ignore
> > but not go nuts about the 'medium' priority events.)
> >
> > Declaring, unilaterally, in a non-configurabile manner,
> > that some dingbat in another country is sending me a URL with
> > 'cmd.exe' in the middle of it is a fact I do wish to process,
> > but making me listen to the box shouting I've been 'attacked'
> > is stupid and not necessarily something I'd want to pay money for.
> >
> > Now if 'cmd.exe' floats in the door, and then my web server starts doing
> > odd things (like anything other than a 404 response?) I would be most
> > appreciative if the IDS started shouting that there was an intrusion.
> >
> > In fact, I am sometimes the person who wants the network monitored
> > in 'paranoid' mode, where I really really do want to hear about
> > every little twitch and rustle in the underbrush outside my firewall.
> > However, I don't think a product grade solution should force that
> > strategy on it's users all the time.

Relevant Pages