Re: Announcement: Alert Verification for Snort

From: Sam f. Stover (
Date: 10/23/03

  • Next message: Raistlin: "Re: Announcement: Alert Verification for Snort"
    Date: Thu, 23 Oct 2003 06:53:41 -0400
    To: Martin Roesch <>

    On Wednesday, October 22, 2003, at 11:22 PM, Martin Roesch wrote:

    > In case 2 the "nontextual" isn't a false positive but I think that
    > most people are calling it an FP these days. I *personally* think
    > that's a misconception. What we have in that case is a *real attack*
    > that your IDS is detecting exactly as it was asked to. Just because
    > it doesn't have the additional information about the context or
    > relevance of the event isn't a problem with the IDS, it's a side
    > effect of the way that NIDS have been built for the past 10 years.

    In the not too distant past I would have agreed with this - but I think
    as IDS implementations grew, the way people describe FPs has changed.
    I think today's IDS *needs* to know "the additional information about
    the context and relevance" - because the event you are referring to is
    what I'll call an "effective FP". Effective because any time I spend
    trying to track down an IIS attack on an apache box is wasted effort.
    I completely understand your point Marty, because an attack did occur,
    and the IDS did log it. However, if it is going to log it, then I want
    it to tell me that the severity of the attack is lessened because it
    didn't succeed. Even better, I want to see the 404 or 403 error, so I
    can show my boss why I didn't even bother to look into it.

    I want my IDS to differentiate between an IIS attack on my apache box
    and an IIS attack on an IIS box. I don't really care how it does it.
    The two main methods, as I see it, are passive fingerprinting or
    integration with another tool like a vuln scanner. Both have their
    drawbacks w/ relation to different environments - which could probably
    fuel a complete thread.

    The IDS landscape has changed. Ten years ago, the type of event
    mentioned was probably not considered a FP. But at that time, IDS was
    an infant and people weren't dealing with events on the scale of
    millions per day like they are today. Current-day NIDS need to evolve
    to solve the problems that current-day users are facing. IMHO 10 years
    ago, NIDS administrators could afford to be a bit more interested in
    all kinds of attacks. IDS was a new and exciting technology. I think
    it's lost some of it's glamour since then and people have to use it as
    just another tool. And the people I talk to don't have the time nor
    resources to run down half of the "real" attacks, much less look into
    attacks that will never succeed.

    Just my $0.02


  • Next message: Raistlin: "Re: Announcement: Alert Verification for Snort"