Re: Snort with an expert system

On 6/25/09 3:26 AM, "Stefano Zanero" <s.zanero@xxxxxxxxxxxxxxxx> wrote:

"A false positive is an alert that triggers on normal traffic where no
intrusion or attack is underway"

That's a good definition, but not really complete. Under that
definition, if you place a rule that flags IRC connections, and it
fires, is that a false positive?

GH: No. If a rule or signature fires on traffic you asked it to fire on,
then it is not a false positive, regardless of whether or not it is an
attack or intrusion.



Is it a false positive a case where there is no rule, or the traffic
does not match with the rule, and the engine still fires?

GH: Yes.


Is it a false positive a case where a rule correctly matches, but the
user didn't want to be alerted to that traffic ?

GH: Some say yes, some say no. I am one of those who says this is not a
false positive. Perhaps this is a misconfiguration of the sensor, but it is
still doing what it was asked to do. I wrote "Security Monitoring with
CS-MARS" for Cisco Press, and that product considers this to be a false
positive.

Stay Secure!
Gary

Gary Halleen, CISSP-ISSAP, CHP
Author, Security Monitoring with CS-MARS, ISBN: 1587052709



-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Relevant Pages

  • Re: Snort with an expert system
    ... fires, ... attack or intrusion. ... The way our technology reduces false positives is to replay the traffic in an instrumented virtual machine, to see if it really is an attack or not. ...
    (Focus-IDS)
  • if youll walk Ednas fog with powders, itll mercilessly care the dog
    ... If the solid cobblers can look lazily, the unique wrinkle may ... attack more fires. ...
    (soc.culture.mexican.american)
  • Commercial airlines falling from the sky
    ... An EMP attack would cause planes to fall from the sky. ... country pasture or a city skyscraper. ... ability to respond to the fires. ... Maybe this is what Alqaeda has in mind. ...
    (alt.politics)
  • Re: Hallows End
    ... The first day, everyone was there to see this new event, so the fires ... I saw this on the PTR when my Tauren druid, level 70, was struck by ... of attack from a level 11 character was unbalanced and absurd. ... Especially when you can't attack him at this point. ...
    (alt.games.warcraft)
Quantcast