Re: IDS Signature Confidence
From: David W. Goodrum (dgoodrum_at_nfr.com)
Date: 06/21/05
- Previous message: Vipul Kumra: "Re: FW: IDS Signature Confidence"
- In reply to: Raffael Marty: "IDS Signature Confidence"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 20 Jun 2005 19:44:51 -0400 To: Raffael Marty <raffy@raffy.ch>
Hi Raffael,
at NFR we've recognized this, and with every alert we assign a
"confidence index" to the alert. The index is a percentage of how
"real" we think the attack is. In some cases, the index will be very
high (for things that are known and can be mapped to a CVE or CAN), and
for others it will be lower (some violation of a protocol anomaly), and
for others it will be dynamic, depending on how much data we have. DoS
attacks are typical of attacks where the more data you have, the higher
the confidence might be.
-dave
-- David W. Goodrum, CEH Senior Systems Engineer (nfr)(security) http://www.nfr.com See NFR Security at these upcoming events: Security Ventures 2005, July 13, New York, NY Raffael Marty wrote: >I was thinking about this following problem: Assume you have an NIDS >signature looking for DoS attacks. In most of the cases I don't trust the >NIDS reporting on a DoS attack. A lot of the DoS sigs just look at >some bytes on the wire and tell me that there is a DoS attack going >on. However, I need some more evidence that my services are indeed not >accessible anymore. Some signatures on the other hand are very specific >and you can trust them with whatever they report. >Now this brings me to my question: How do you guys decide how much >confidence you put in a certain IDS signature? And I am not talking >about prioritizing the event. I am talking about assigning a "success" >or "possible success" to signatures. > > -raffy > > >-- > Raffael Marty, GCIA, CISSP raffael.marty@arcsight.com > Senior Security Engineer Content Team @ ArcSight Inc. > 5 Results Way Cupertino, CA 95014 (408) 864-2662 > >-------------------------------------------------------------------------- >Test Your IDS > >Is your IDS deployed correctly? >Find out quickly and easily by testing it with real-world attacks from >CORE IMPACT. >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 >to learn more. >-------------------------------------------------------------------------- > > > -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Vipul Kumra: "Re: FW: IDS Signature Confidence"
- In reply to: Raffael Marty: "IDS Signature Confidence"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
