Re: Announcement: Alert Verification for Snort

From: Michael Stone (
Date: 10/24/03

  • Next message: "RE: Announcement: Alert Verification for Snort"
    Date: Thu, 23 Oct 2003 21:28:05 -0400

    On Thu, Oct 23, 2003 at 04:03:20PM -0700, Christopher Kruegel wrote:
    >From a theoretical point of view, I think that Marty is right and his
    >classification is correct. In fact, we had a discussion about whether
    >'alert verification' was the correct term to use. We then concluded
    >that most people don't care why they spent time looking at an alert
    >that doesn't matter to them and that they refer to such alerts in
    >general as false positives. That's why we used the terminology that we

    What people are looking for in an IDS is the detection of an intrusion.
    With that in mind, a simple definition is, "if the system alerts on
    something that's not an intrusion it's a false positive". To base the
    definition on the behavior of signature matching engines would allow the
    limitations of the technology to obscure the primary objective of that

    Mike Stone

    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    and use priority code SF4.

  • Next message: "RE: Announcement: Alert Verification for Snort"