RE: "False postive" database idea

From: Chad I. Uretsky (c.uretsky_at_netiq.com)
Date: 09/24/03

  • Next message: George Bakos: "Re: "False postive" database idea"
    To: focus-ids@securityfocus.com
    Date: Wed, 24 Sep 2003 13:05:57 -0000
    
    

    While this sounds like a good idea in theory, I can see a drawback.

    What is to prevent someone from crafting a new attack, checking what it's
    signature looks like in a NIDS, then submitting that signature for insertion
    into the database? If the database were then updated with such a signature,
    those utilizing the database to identify "false positives" would identify
    the signature of such an attack as a false positive.

    Of course, if every signature underwent incredible scrutiny before being
    allowed to be added to the database, perhaps this could be avoided. But who
    is going to do the scrutinizing?

    Just a couple of thoughts.

    Chad Uretsky, CISSP, CCNP

    -----Original Message-----
    From: Anton A. Chuvakin [mailto:anton@chuvakin.org]
    Sent: Tuesday, September 23, 2003 11:52 AM
    To: focus-ids@securityfocus.com
    Subject: "False postive" database idea

    All,

    I suspect most people monitoring lots of NIDS sensors start to have their
    own favorite "false positives". After I upped the number of snort sensors
    I run, I started seeing lots of nice ones :-) And that made me think of a
    following idea.

    Why can't a public database of "false positive" be created so that NIDS
    users everywhere can submit theirs and make life simple for everybody? Of
    course, that applies to NIDS with open sigs such as Snort and Dragon.
    Obviously, lots of FPs are specific to a certain brand of NIDS, but I
    think it will still be pretty useful (especially since other NIDS vendors
    are adopting Snort sig language...)

    For example, submission may take the form of 'Application X during auth
    phase always triggers snort alarm Y' or 'I keep seeing this in my
    environment; here is the packet dump, here is the alert X which gets
    triggered'

    I suspect implementing such an idea will optimize the NIDS rule
    development by a large margin and will help to fight off evil anti-NIDS
    FUD.

    Just to clarify, "false positive" here is a known benign triggering of a
    NIDS alert (NOT 'my Apache is hit by CodeRed' some people are confused
    about :-)). E.g. (just saw it :-)) fetchmail SSL auth under such and such
    conditions triggers snort 649 SHELLCODE sig.

    Best,

    -- 
      Anton A. Chuvakin, Ph.D., GCI*
         http://www.chuvakin.org
       http://www.info-secure.org
    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to: 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to: 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------
    

  • Next message: George Bakos: "Re: "False postive" database idea"

    Relevant Pages

    • Re: Views and Correlation in Intrusion Detection
      ... I think part of the problem here, is defining what the usage scope of usage ... I believe that a NIDS is part ... clean room with the existing trap. ... >>severity of the attack becomes increased to critical, ...
      (Focus-IDS)
    • RE: Network IDS
      ... spawn TCP resets that can kill an attack. ... >> NIDS is about detecting intrusions over the network. ... Modeled after the famous Black Hat event in ... >Symanetc is the Diamond sponsor. ...
      (Focus-IDS)
    • RE: how to verify whether an attack attempt is successful?
      ... A lot of NIDS look for responses with their signatures. ... NFR) look at the entire session and evaluate the results of an attack ... scanned for a vulnerability, and then were able to exploit a vulnerability. ... someone mentioned IDS and VA correlation. ...
      (Focus-IDS)
    • RE: interesting paper on testing sig-based IDS
      ... Is this tool available to the general public as I do a lot of IPS ... IDS they were before with many signatures disabled with 2 NIC's. ... > You may also be interested in Automatic Generation and Analysis of NIDS ... > A common way to elude a signature-based NIDS is to transform an attack ...
      (Focus-IDS)
    • RE: Views and Correlation in Intrusion Detection
      ... did not know or alert on the "sixth" packet. ... It helps reduce the "noise" so the analyst can do a better job at ... >attack signature tripped for xyz, ... isn't something that most NIDS products do well, ...
      (Focus-IDS)