Focus on IDS
Re: Re: Snort with an expert system Jun 22 2009 07:47PM
tol sics se (1 replies)
Re: Snort with an expert system Jun 25 2009 08:45AM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 25 2009 09:08AM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 25 2009 09:48AM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 25 2009 10:19AM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 25 2009 10:26AM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 26 2009 12:18AM
Gary Halleen (ghalleen cisco com) (1 replies)
On 6/25/09 3:26 AM, "Stefano Zanero" <s.zanero (at) securenetwork (dot) it [email concealed]> wrote:

>> "A false positive is an alert that triggers on normal traffic where no
>> intrusion or attack is underway"
>
> That's a good definition, but not really complete. Under that
> definition, if you place a rule that flags IRC connections, and it
> fires, is that a false positive?

GH: No. If a rule or signature fires on traffic you asked it to fire on,
then it is not a false positive, regardless of whether or not it is an
attack or intrusion.

>
> Is it a false positive a case where there is no rule, or the traffic
> does not match with the rule, and the engine still fires?

GH: Yes.

> Is it a false positive a case where a rule correctly matches, but the
> user didn't want to be alerted to that traffic ?

GH: Some say yes, some say no. I am one of those who says this is not a
false positive. Perhaps this is a misconfiguration of the sensor, but it is
still doing what it was asked to do. I wrote "Security Monitoring with
CS-MARS" for Cisco Press, and that product considers this to be a false
positive.

Stay Secure!
Gary

Gary Halleen, CISSP-ISSAP, CHP
Author, Security Monitoring with CS-MARS, ISBN: 1587052709

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: Snort with an expert system Jun 26 2009 07:30PM
Stuart Staniford (sstaniford FireEye com) (1 replies)
Re: Snort with an expert system Jun 26 2009 09:18PM
Gary Halleen (ghalleen cisco com)


 

Privacy Statement
Copyright 2010, SecurityFocus