Focus on IDS
Re: Re: Snort with an expert system Jun 22 2009 07:47PM
tol sics se (1 replies)
Re: Snort with an expert system Jun 25 2009 08:45AM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 25 2009 09:08AM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 25 2009 09:48AM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 25 2009 10:19AM
Tomas Olsson (tol sics se) (1 replies)
Re: Snort with an expert system Jun 25 2009 10:26AM
Stefano Zanero (s zanero securenetwork it) (1 replies)
Re: Snort with an expert system Jun 26 2009 12:18AM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Snort with an expert system Jun 26 2009 07:30PM
Stuart Staniford (sstaniford FireEye com) (1 replies)
Re: Snort with an expert system Jun 26 2009 09:18PM
Gary Halleen (ghalleen cisco com)
I don't disagree with you. In fact, in an earlier message I said that for
operations people (security or network), all noise is a false positive, even
if, technically, it is not really.

Gary

On 6/26/09 12:30 PM, "Stuart Staniford" <sstaniford (at) FireEye (dot) com [email concealed]> wrote:

>
> On Jun 25, 2009, at 5:18 PM, Gary Halleen wrote:
>
>> On 6/25/09 3:26 AM, "Stefano Zanero" <s.zanero (at) securenetwork (dot) it [email concealed]>
>> wrote:
>>
>>>> "A false positive is an alert that triggers on normal traffic
>>>> where no
>>>> intrusion or attack is underway"
>>>
>>> That's a good definition, but not really complete. Under that
>>> definition, if you place a rule that flags IRC connections, and it
>>> fires, is that a false positive?
>>
>> GH: No. If a rule or signature fires on traffic you asked it to
>> fire on,
>> then it is not a false positive, regardless of whether or not it is an
>> attack or intrusion.
>
> To echo what Greg said - from a customer perspective, it's all the
> same. Customers generally buy both an engine and a set of rules as a
> single package, and if the combination is reporting things that aren't
> actual attacks, then it's making them unhappy. Few customers are
> writing their own rules.
>
> Distinguishing between whether the problem is in the engine or the
> rule is useful internally at the vendor to decide what needs to get
> fixed, but customers are not likely to care that much.
>
> The way our (FireEye's) technology reduces false positives is to
> replay the traffic in an instrumented virtual machine, to see if it
> really is an attack or not. We have a lot fewer false positives than
> traditional IDS products (we don't ship a release with any that are
> known to us, though a few still pop up in the field unfortunately -
> you can never test against everything that will show up on a
> customer's network)
>
> Stuart Staniford.
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their
> application. By making use of an SSL certificate on your web server, you can
> securely collect sensitive information online, and increase business by giving
> your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194
>
>

The Hacker only has to be right once...

Stay Secure!

Gary Halleen, CISSP-ISSAP, CHP
Author, Security Monitoring with CS-MARS, ISBN: 1587052709

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus