Focus on IDS
Re: Snort with an expert system Jun 25 2009 01:46PM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 25 2009 02:04PM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 25 2009 06:08PM
Joel Esler (eslerj gmail com) (1 replies)
On Thu, Jun 25, 2009 at 10:04 AM, Tomas Olsson <tol (at) sics (dot) se [email concealed]> wrote:
>
> Stefano Zanero wrote:
>>>>
>>>> Is it a false positive a case where there is no rule, or the traffic
>>>> does not match with the rule, and the engine still fires?
>>>>
>>
>>
>>>
>>> This does not fit with the above definition since the alert must be
>>> triggered by the traffic.
>>>
>>
>> You would be surprised in knowing that this is the only case where
>> you're pretty sure it IS a false positive that you are looking at (a
>> false positive of the engine itself, whereas the other examples are
>> noncontextual alerts caused by careless configuration by the user)

 Here's a topic for discussion, just to fan the flame, and basically
just to get the discussion further along.

<I work for Sourcefire>

"There are no false positives in pure signature based intrusion
detection". (Note I said signature based, not rule based, there is a
difference, anyway....) If a false positive is defined as you have it
above, then there are no false positives. If you have a rule that
alerted on a piece of traffic that the rule should NOT have alerted
on, whose fault is it? You for writing the rule? or the engine's
fault? Its only doing what you told it to do. Confused? Let me back
up.

For example, a rule fires because an IIS exploit is destined for your
Apache server. Is that a false positive? In the pure IDS sense, no,
because the traffic took place. But when you put the alert in
context, then yes, it is a false positive. The rule should not have
triggered because the end application base is incorrect as it pertains
to the rule. Put that scenario on a real network where IPs change and
applications get installed all the time, and OSes come and go, ports
open and close, services are on those ports, and on non-standard
ports, and lets face it you don't know where or what those ports are
etc.. and you see the problem.

Which is why context given to Snort is so important, which is why
Sourcefire developed things like RNA (
http://www.sourcefire.com/products/3D/rna ) in order to solve that
problem. Which is also why things like Snort 3.0 are being developed,
to be able to deal with adjustments in a more real-time fashion.

That being said. False positives do happen. Which is why there are
false positive reporting methods. If someone ELSE wrote the rule,
then its a duty to report those FPs, so those FPs can be corrected as
much as possible. If you wrote the rule, then it's time to go back to
the drawing board.

An IPS should only alert when you need to go DO something. IMO. I
hate having superfluous alerts. Alerts = work = time = money = more
work.

These are my opinions and not the opinion of my company, but basically
just to fuel the conversation a bit. Sorry if it seemed like I
plugged a bit.

--
Joel

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: Snort with an expert system Jun 25 2009 06:55PM
Greg Shipley (gshipley neohapsis com) (3 replies)
Re: Snort with an expert system Jun 26 2009 12:26AM
Gary Halleen (ghalleen cisco com)
Re: Snort with an expert system Jun 25 2009 09:12PM
Richard Bejtlich (taosecurity gmail com) (1 replies)
Re: Snort with an expert system Jun 26 2009 02:17PM
Martin Roesch (roesch sourcefire com)
Re: Snort with an expert system Jun 25 2009 08:29PM
Martin Roesch (roesch sourcefire com) (1 replies)
Re: Snort with an expert system Jun 26 2009 12:28AM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Snort with an expert system Jun 26 2009 08:14PM
Stefano Zanero (s zanero securenetwork it) (2 replies)
Re: Snort with an expert system Jun 29 2009 01:46AM
Martin Roesch (roesch sourcefire com) (1 replies)
Re: Snort with an expert system Jun 30 2009 01:23PM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 30 2009 01:30PM
Stefano Zanero (s zanero securenetwork it)
Re: Snort with an expert system Jun 26 2009 10:00PM
mhellman taxandfinance com


 

Privacy Statement
Copyright 2010, SecurityFocus