LogAnalysis
[logs] too many false alarms Jan 24 2008 11:04PM
Jon Stearley (jrstear sandia gov) (3 replies)
Re: [logs] too many false alarms Jan 25 2008 01:54AM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] too many false alarms Jan 25 2008 11:36AM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] too many false alarms Jan 29 2008 04:41AM
Mordechai T. Abzug (morty frakir org)
Re: [logs] too many false alarms Jan 25 2008 07:35PM
Stefano Zanero (zanero elet polimi it)
Re: [logs] too many false alarms Jan 25 2008 12:46AM
Bennett Todd (bet rahul net)
2008-01-24T23:04:43 Jon Stearley:
> what false alarm rate do you tolerate for your current monitoring system?

Monitoring what?

How expensive is a false negative?

How often do real alerts come in?

Failed attacks on a successfully-hardened server, as long as you
know the accuracy rates you can deduce the stats which are all care
about.

If missed alerts are enormously expensive and alerts come in no
oftener that once a week, it could be that a 300% false positive
rate would still be fine.

If you're keeping a desk of 50 people racing full-time and are
neglecting real alarms because you can't keep up, a 2% false
positive might be worth a lot of engineering effort to tighten
things down that much more.

-Bennett
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHmTF+HZWg9mCTffwRAtUKAKDArmdBHnXGQdWGPNcJwrjkZAfipgCeMp8O
6YHCw0QRcHS8x/4SVL1GT1U=
=V2vh
-----END PGP SIGNATURE-----
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] too many false alarms Jan 25 2008 12:34AM
Marcus J. Ranum (mjr ranum com) (2 replies)
Re: [logs] too many false alarms Jan 25 2008 07:35PM
Stefano Zanero (zanero elet polimi it)
Re: [logs] too many false alarms Jan 25 2008 01:08PM
Greg Dotoli (gldotoli yahoo com)


 

Privacy Statement
Copyright 2010, SecurityFocus