IDS Signature Confidence

From: Raffael Marty (raffy_at_raffy.ch)
Date: 06/21/05

  • Next message: Raffael Marty: "RE: generating a network map" 
    Date: Mon, 20 Jun 2005 18:59:36 -0400 (EDT)
To: focus-ids@lists.securityfocus.com

    I was thinking about this following problem: Assume you have an NIDS
    signature looking for DoS attacks. In most of the cases I don't trust the
    NIDS reporting on a DoS attack. A lot of the DoS sigs just look at
    some bytes on the wire and tell me that there is a DoS attack going
    on. However, I need some more evidence that my services are indeed not
    accessible anymore. Some signatures on the other hand are very specific
    and you can trust them with whatever they report.
    Now this brings me to my question: How do you guys decide how much
    confidence you put in a certain IDS signature? And I am not talking
    about prioritizing the event. I am talking about assigning a "success"
    or "possible success" to signatures.

      -raffy 

    --
  Raffael Marty, GCIA, CISSP                     raffael.marty@arcsight.com
  Senior Security Engineer                     Content Team @ ArcSight Inc.
  5 Results Way             Cupertino, CA 95014              (408) 864-2662
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Raffael Marty: "RE: generating a network map"

    Relevant Pages

    • RE: IDS Signature Confidence
      ... Subject: IDS Signature Confidence ... I was thinking about this following problem: Assume you have an NIDS ... NIDS reporting on a DoS attack. ...
      (Focus-IDS)
    • Re: Atheists support evolution because evolution supports their
      ... any reason we should be trusting you in this matter, as opposed to, ... Is there any reason to think that we need to trust another person on ... God's rescue, and his love. ... Why don't you fix your signature? ...
      (talk.origins)
    • Re: PGPsigs: the Choice of Con Artists
      ... They can insist whatever they want to insist but if I trust none of them ... You seem to have two problems: one is that you don't like the PGP signature ... signature or break public key encryption. ...
      (comp.os.linux.misc)
    • Re: Atheists support evolution because evolution supports their
      ... is there any reason to think that this is one ... Is there any reason to think that we need to trust another person on ... God's rescue, and his love. ... Why don't you fix your signature? ...
      (talk.origins)
    • Re: personal signing policy?
      ... long as I know I can trust him. ... This covers the case where I really don't know the owner and have never obtained positive identification. ... Because my signature is non-exportable, I remove some risk to others who might otherwise trust my signature to validate the US-CERT Master Key-siging key. ... Finally, there is the important exception based on the Web of Trust when you obtain a key from someone unknown to you that was signed by someone else (e.g., Sue). ...
      (comp.security.pgp.discuss)