Focus on IDS
Re: Snort with an expert system Jun 25 2009 01:46PM
Stefano Zanero (s zanero securenetwork it)
>> Is it a false positive a case where there is no rule, or the traffic
>> does not match with the rule, and the engine still fires?

> This does not fit with the above definition since the alert must be
> triggered by the traffic.

You would be surprised in knowing that this is the only case where
you're pretty sure it IS a false positive that you are looking at (a
false positive of the engine itself, whereas the other examples are
noncontextual alerts caused by careless configuration by the user)

> Yes, if there was no attack or intrusion triggering the alert. But, why
> would the user not want to be alerted if it is a real intrusion?

Because maybe it is a rule firing for a real attack on a vulnerability
that is not present. By the way: is this a false positive or not? :-)

Do you see why I say that "false positive" is a dangerous beast to define?

> With respect to using the alerts as input to our algorithm, no of these
> objections are important. We just use the type of alerts as sensor data
> that we want to analyze to see when the frequencies of each type of
> alert diverge from what previously has been observed.

And what does that imply ? Do you filter out what diverges, or do you
filter out what does not diverge? How "diverging statistically" with the
specific algorithm which you chose actually have any relationship with
an alert being a false positive or not?

> Well, there is nothing that says that there must be any difference
> between a false and a true alert.

That's the point, exactly.

> However, assume that there are
> legitimate traffic that triggers false alerts on a regular basis.

Here you are: you are detecting misconfigurations and noncontextuals,
not false positives ;-)

As I said, it's a matter of definition.

And "artificial ignorance" (as dubbed by Marcus Ranum) works using the
principle you stated, but with a much simpler apparatus. If this is all
you're looking for, then probably the algorithm you are using is an
overkill.

(and, in IDEVAL, there's probably no such traffic, unless you severely
misconfigure Snort)

Best,
Stefano

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus