LogAnalysis
[logs] too many false alarms Jan 24 2008 11:04PM
Jon Stearley (jrstear sandia gov) (3 replies)
Re: [logs] too many false alarms Jan 25 2008 01:54AM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] too many false alarms Jan 25 2008 11:36AM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] too many false alarms Jan 29 2008 04:41AM
Mordechai T. Abzug (morty frakir org)
Re: [logs] too many false alarms Jan 25 2008 07:35PM
Stefano Zanero (zanero elet polimi it)
Re: [logs] too many false alarms Jan 25 2008 12:46AM
Bennett Todd (bet rahul net)
Re: [logs] too many false alarms Jan 25 2008 12:34AM
Marcus J. Ranum (mjr ranum com) (2 replies)
Jon Stearley wrote:
>what false alarm rate do you tolerate for your current monitoring
>system? is 1 false alarm in 4 ok? 1 in 10? 1 in 100?

Let's make sure we're talking about the same thing, first.

"False positive" is when the sensor/IDS/monitor raises an alert that
is wrong. An example of a false positive would be if your
web site got slashdotted and your IDS altered you to a "SYN
flood attack."
"False alarm" is when the sensor/IDS/monitor raises an alert that is
right, but not interesting to you, either because the event
is accepted by your policy or is you have additional knowledge
that allows you to assess the alarm as insignificant. An example
of a false alarm would be if your IDS alerted you that someone
just tried a Windows/IIS-based buffer overrun against your Sun box
that's running Apache. The diagnosis is correct, but you may not
choose to care.

Given those definitions, my answers would be:
"as many false alarms as it generates" and "any"

The problem is that a lot of the time people are expected to put sensors
or detectors/monitoring systems in place to monitor networks that are,
basically, too permeable. So, of course, there are tons and tons of
alarms. And, the sensor/IDS/monitor gets blamed for being "too noisy"
when in fact the situation is that "the network's security sucks."

A perfect example of this would be one site I worked with back in the IDS
days: they complained bitterly that the IDS generated "too much noise"
but their policy was that port 80 was allowed unimpeded inbound access
through their firewall. OF COURSE the IDS generated a lot of noise - it was
correctly and fairly accurately identifying the approximately 30,000 real
attack attempts that were being launched against machines on the
customer's internal network EVERY DAY. The fun part was when
management didn't like my assessment of their situation and sent their
technical staff to go "get another opinion from a REAL IDS expert."

mjr.
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] too many false alarms Jan 25 2008 07:35PM
Stefano Zanero (zanero elet polimi it)
Re: [logs] too many false alarms Jan 25 2008 01:08PM
Greg Dotoli (gldotoli yahoo com)


 

Privacy Statement
Copyright 2010, SecurityFocus