Re: False positives, negatives and don't cares

• Previous message: Martin Roesch: "False positives, negatives and don't cares"
• In reply to: Martin Roesch: "False positives, negatives and don't cares"
• Next in thread: Martin Roesch: "Re: False positives, negatives and don't cares"
• Reply: Martin Roesch: "Re: False positives, negatives and don't cares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 11 Aug 2003 11:16:47 -0400
To: Martin Roesch <roesch@sourcefire.com>

A very thought-provoking note (no surprise there).

I think it's fair to distinguish genuine false-positives (result of
flawed analysis/sigs/whatever triggering on truly legit traffic)
from irrelevent-to-local-context attacks.

And I agree that these irrelevent-to-local-context attacks can
produce useful intelligence.

But to my tastes, a more exciting way to approach things is to
programmatically weed the sig set down, resulting in small enough
analytic sets to allow very fast processing.

[ Disclaimer re following: I've looked at the product, but not
  actually used it. ]

I think nCircle has a pretty sexy product in that vein; they've
worked on non-disruptive automated vuln scanning, and coupled that
to an IDS engine that's used to watch for attempts to exploit
apparently-vulnerable servers. So on a sufficiently tightly-tuned
plant, the IDS engine would normally not be active; it'd only begin
looking for a small number of sigs when a config error opens a vuln,
and would only remain active until admins respond to the alerts and
plug the holes.

-Bennett

• application/pgp-signature attachment: stored

• Previous message: Martin Roesch: "False positives, negatives and don't cares"
• In reply to: Martin Roesch: "False positives, negatives and don't cares"
• Next in thread: Martin Roesch: "Re: False positives, negatives and don't cares"
• Reply: Martin Roesch: "Re: False positives, negatives and don't cares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]