Focus on IDS
Re: Snort with an expert system Jun 25 2009 01:46PM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 25 2009 02:04PM
Tomas Olsson (tol sics se) (1 replies)
Stefano Zanero wrote:
>>> Is it a false positive a case where there is no rule, or the traffic
>>> does not match with the rule, and the engine still fires?
>>>
>
>
>> This does not fit with the above definition since the alert must be
>> triggered by the traffic.
>>
>
> You would be surprised in knowing that this is the only case where
> you're pretty sure it IS a false positive that you are looking at (a
> false positive of the engine itself, whereas the other examples are
> noncontextual alerts caused by careless configuration by the user)
>
>
>> Yes, if there was no attack or intrusion triggering the alert. But, why
>> would the user not want to be alerted if it is a real intrusion?
>>
>
> Because maybe it is a rule firing for a real attack on a vulnerability
> that is not present. By the way: is this a false positive or not? :-)
>
> Do you see why I say that "false positive" is a dangerous beast to define?
>
>
>> With respect to using the alerts as input to our algorithm, no of these
>> objections are important. We just use the type of alerts as sensor data
>> that we want to analyze to see when the frequencies of each type of
>> alert diverge from what previously has been observed.
>>
>
> And what does that imply ? Do you filter out what diverges, or do you
> filter out what does not diverge? How "diverging statistically" with the
> specific algorithm which you chose actually have any relationship with
> an alert being a false positive or not?
>
>
>> Well, there is nothing that says that there must be any difference
>> between a false and a true alert.
>>
>
> That's the point, exactly.
>
>
>> However, assume that there are
>> legitimate traffic that triggers false alerts on a regular basis.
>>
>
> Here you are: you are detecting misconfigurations and noncontextuals,
> not false positives ;-)
>
> As I said, it's a matter of definition.
>
> And "artificial ignorance" (as dubbed by Marcus Ranum) works using the
> principle you stated, but with a much simpler apparatus. If this is all
> you're looking for, then probably the algorithm you are using is an
> overkill.
>
> (and, in IDEVAL, there's probably no such traffic, unless you severely
> misconfigure Snort)
>
> Best,
> Stefano
>
OK, I think I've got your point. The "misconfiguration" of snort was
that we did not tune the signature rules. We used the default rules.

Maybe, I just have been thinking of this wrongly? If we instead see the
IDS as a sensor that triggers alerts on interesting "events"/patterns in
the traffic that we think is interesting. Thereafter, we can monitor the
alerts and signal when ever something "unusual" happens using our
algorithm. The we do not filter false positives, but we have created
another type of IDS based on anomaly detection in combination with
rules, if we assume that the signal correlates to intrusions.
/Tomas

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: Snort with an expert system Jun 25 2009 06:08PM
Joel Esler (eslerj gmail com) (1 replies)
Re: Snort with an expert system Jun 25 2009 06:55PM
Greg Shipley (gshipley neohapsis com) (3 replies)
Re: Snort with an expert system Jun 26 2009 12:26AM
Gary Halleen (ghalleen cisco com)
Re: Snort with an expert system Jun 25 2009 09:12PM
Richard Bejtlich (taosecurity gmail com) (1 replies)
Re: Snort with an expert system Jun 26 2009 02:17PM
Martin Roesch (roesch sourcefire com)
Re: Snort with an expert system Jun 25 2009 08:29PM
Martin Roesch (roesch sourcefire com) (1 replies)
Re: Snort with an expert system Jun 26 2009 12:28AM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Snort with an expert system Jun 26 2009 08:14PM
Stefano Zanero (s zanero securenetwork it) (2 replies)
Re: Snort with an expert system Jun 29 2009 01:46AM
Martin Roesch (roesch sourcefire com) (1 replies)
Re: Snort with an expert system Jun 30 2009 01:23PM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 30 2009 01:30PM
Stefano Zanero (s zanero securenetwork it)
Re: Snort with an expert system Jun 26 2009 10:00PM
mhellman taxandfinance com


 

Privacy Statement
Copyright 2010, SecurityFocus