Re: Announcement: Alert Verification for Snort
From: Martin Roesch (roesch_at_sourcefire.com)
Date: 10/24/03
- Previous message: Martin Roesch: "Re: Announcement: Alert Verification for Snort"
- In reply to: Christopher Kruegel: "Re: Announcement: Alert Verification for Snort"
- Next in thread: Randy Taylor: "Re: Announcement: Alert Verification for Snort"
- Reply: Randy Taylor: "Re: Announcement: Alert Verification for Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Oct 2003 22:01:26 -0400 To: Christopher Kruegel <chris@cs.ucsb.edu>
On Oct 23, 2003, at 7:03 PM, Christopher Kruegel wrote:
>>> In case 2 the "nontextual" isn't a false positive but I think that
>>> most people are calling it an FP these days. I *personally* think
>>> that's a misconception. What we have in that case is a *real
>>> attack* that your IDS is detecting exactly as it was asked to. Just
>>> because it doesn't have the additional information about the context
>>> or relevance of the event isn't a problem with the IDS, it's a side
>>> effect of the way that NIDS have been built for the past 10 years.
>>
>> In the not too distant past I would have agreed with this - but I
>> think as IDS implementations grew, the way people describe FPs has
>> changed. I think today's IDS *needs* to know "the additional
>> information about the context and relevance" - because the event you
>> are referring to is what I'll call an "effective FP". Effective
>> because any time I spend trying to track down an IIS attack on an
>> apache box is wasted effort. I completely understand your point
>> Marty, because an attack did occur, and the IDS did log it. However,
>> if it is going to log it, then I want it to tell me that the severity
>> of the attack is lessened because it didn't succeed. Even better, I
>> want to see the 404 or 403 error, so I can show my boss why I didn't
>> even bother to look into it.
>
> From a theoretical point of view, I think that Marty is right and his
> classification is correct. In fact, we had a discussion about whether
> 'alert verification' was the correct term to use. We then concluded
> that most people don't care why they spent time looking at an alert
> that doesn't matter to them and that they refer to such alerts in
> general as false positives. That's why we used the terminology that we
> did.
I think alert verification is a fine term, I just want people to
understand the distinction between false positives and nontextuals. We
can do something about both of those cases but they require different
solutions to address. I don't want to confuse the issue if I come out
with separate solutions that both address "false positives", people
will ask why I couldn't get it right the first time. :)
-Marty
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
- Previous message: Martin Roesch: "Re: Announcement: Alert Verification for Snort"
- In reply to: Christopher Kruegel: "Re: Announcement: Alert Verification for Snort"
- Next in thread: Randy Taylor: "Re: Announcement: Alert Verification for Snort"
- Reply: Randy Taylor: "Re: Announcement: Alert Verification for Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
