Re: Announcement: Alert Verification for Snort

From: Michael Sierchio (kudzu_at_tenebras.com)
Date: 10/25/03

  • Next message: Daniel Cid: "Re: Linux based HIDS"
    Date: Fri, 24 Oct 2003 17:49:29 -0700
    To: focus-ids@securityfocus.com
    
    

    Michael Stone wrote:

    > What people are looking for in an IDS is the detection of an intrusion.
    > With that in mind, a simple definition is, "if the system alerts on
    > something that's not an intrusion it's a false positive".

    Not so, IMHO. Attempts at intrusion are of interest, reconnaissance
    is of interest -- just as these are in the case of physical
    security. Why? Because a fundamental tenet of security is
    that a determined adversary with sufficient resources will
    defeat your countermeasures.

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: Daniel Cid: "Re: Linux based HIDS"

    Relevant Pages

    • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
      ... Now if the geeks over at Microsoft could get "infected" with some of this ... The Internet is already mind blowing in the way it can bring people ... that creates an unacceptable risk of security compromise and we need to shut ... down all Internet browsing with IE. ...
      (microsoft.public.security)
    • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
      ... Now if the geeks over at Microsoft could get "infected" with some of this ... The Internet is already mind blowing in the way it can bring people ... that creates an unacceptable risk of security compromise and we need to shut ... down all Internet browsing with IE. ...
      (microsoft.public.security.virus)
    • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
      ... Now if the geeks over at Microsoft could get "infected" with some of this ... The Internet is already mind blowing in the way it can bring people ... that creates an unacceptable risk of security compromise and we need to shut ... down all Internet browsing with IE. ...
      (microsoft.public.win2000.security)
    • Re: How to automatic send an e-mail when an event occurs?
      ... CyberCop combines packet analysis with assessment of the event logs, ... environment, including security profiles, account groups, time and subnets. ... KSM is unable to terminate the intrusion or take actions such as logging ... As Windows NT and Windows 2000 are more fully deployed in environments ...
      (microsoft.public.windows.server.general)
    • RE: Centralized Logs for IDS
      ... farm9 Managed Security Solutions ... Subject: Centralized Logs for IDS ... Tivoli Intrusion Manager ...
      (Focus-IDS)