Re: Announcement: Alert Verification for Snort
From: Sam f. Stover (sstover_at_atrc.sytexinc.com)
Date: Thu, 23 Oct 2003 06:53:41 -0400 To: Martin Roesch <email@example.com>
On Wednesday, October 22, 2003, at 11:22 PM, Martin Roesch wrote:
> In case 2 the "nontextual" isn't a false positive but I think that
> most people are calling it an FP these days. I *personally* think
> that's a misconception. What we have in that case is a *real attack*
> that your IDS is detecting exactly as it was asked to. Just because
> it doesn't have the additional information about the context or
> relevance of the event isn't a problem with the IDS, it's a side
> effect of the way that NIDS have been built for the past 10 years.
In the not too distant past I would have agreed with this - but I think
as IDS implementations grew, the way people describe FPs has changed.
I think today's IDS *needs* to know "the additional information about
the context and relevance" - because the event you are referring to is
what I'll call an "effective FP". Effective because any time I spend
trying to track down an IIS attack on an apache box is wasted effort.
I completely understand your point Marty, because an attack did occur,
and the IDS did log it. However, if it is going to log it, then I want
it to tell me that the severity of the attack is lessened because it
didn't succeed. Even better, I want to see the 404 or 403 error, so I
can show my boss why I didn't even bother to look into it.
I want my IDS to differentiate between an IIS attack on my apache box
and an IIS attack on an IIS box. I don't really care how it does it.
The two main methods, as I see it, are passive fingerprinting or
integration with another tool like a vuln scanner. Both have their
drawbacks w/ relation to different environments - which could probably
fuel a complete thread.
The IDS landscape has changed. Ten years ago, the type of event
mentioned was probably not considered a FP. But at that time, IDS was
an infant and people weren't dealing with events on the scale of
millions per day like they are today. Current-day NIDS need to evolve
to solve the problems that current-day users are facing. IMHO 10 years
ago, NIDS administrators could afford to be a bit more interested in
all kinds of attacks. IDS was a new and exciting technology. I think
it's lost some of it's glamour since then and people have to use it as
just another tool. And the people I talk to don't have the time nor
resources to run down half of the "real" attacks, much less look into
attacks that will never succeed.
Just my $0.02
- application/pgp-signature attachment: PGP.sig