Re: Announcement: Alert Verification for Snort
From: Robin Sommer (robin_at_icir.org)
Date: 10/24/03
- Previous message: Craig H. Rowland: "RE: Announcement: Alert Verification for Snort"
- In reply to: Sam f. Stover: "Re: Announcement: Alert Verification for Snort"
- Next in thread: Raistlin: "Re: Announcement: Alert Verification for Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 24 Oct 2003 17:55:48 +0200 To: focus-ids@securityfocus.com
On Thu, Oct 23, 2003 at 06:53 -0400, Sam f. Stover wrote:
> In the not too distant past I would have agreed with this - but I think
> as IDS implementations grew, the way people describe FPs has changed.
> I think today's IDS *needs* to know "the additional information about
> the context and relevance" - because the event you are referring to is
> what I'll call an "effective FP".
There is a paper upcoming at ACM's CCS next week in which we use the
term "contextual signatures" to describe the enhancement of
Snort-like signatures by incorporating additional context. We
implemented this for IDS Bro, making use of all its already existing
mechanisms to provide context (which includes a full scripting
language).
> Even better, I want to see the 404 or 403 error, so I
> can show my boss why I didn't even bother to look into it.
Actually, this one of our examples: For a certain attack, we want
the IDS to alert only if the server has not answered with a 4xx.
The paper is available at http://www.net.in.tum.de/~robin/papers/ccs03.ps
Robin
-- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Munich * Phone (089) 289-18006 * sommer@in.tum.de
- application/pgp-signature attachment: stored
- Previous message: Craig H. Rowland: "RE: Announcement: Alert Verification for Snort"
- In reply to: Sam f. Stover: "Re: Announcement: Alert Verification for Snort"
- Next in thread: Raistlin: "Re: Announcement: Alert Verification for Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
