Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 040540.html (Request Expert securityfocus.com Support)

RE: False Positives with IntruVert

From: Kohlenberg, Toby <toby.kohlenberg(at)intel.com>
Date: Tue Apr 15 2003 - 18:23:15 EDT


Samuel makes a good point, though I think there's another dimension that needs to be caught-
 differentiates a false positive from something that simply has very low value?

For instance, Snort has (had? Brian Caswell's been cleaning the rules a lot recently) a rule that looks just for URLs that start with HEAD instead of GET. This is done because it is one of the techniques that Whisker uses to avoid being seen. The result if you turn this on is a lot of false positives (events that contain the string but aren't important) but also the potential to actually catch scans that are novel in every other way. The problem is that the value of the alert by itself is very very low but not zero. So, how do you score this?

toby

> -----Original Message-----
> From: Michael Rash [mailto:mbr@cipherdyne.com]
> Sent: Monday, April 14, 2003 9:02 PM
> To: Cure, Samuel J
> Cc: 'focus-ids@securityfocus.com'
w.ce.chalmers.sezSzstaffzSzsaxzSzdifficulty.pdf/axelsson99baserate.pdf

It is heavy on the math side of things, but this is good since it begins to put questions about false positives on a rigorous footing. (The paper does not answer your specific question above, but it does provide an interesting perspective on false positives in general).

--Mike

Michael Rash
http://www.cipherdyne.com
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F


INTRUSION PREVENTION: READY FOR PRIME TIME?   IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.  

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids


INTRUSION PREVENTION: READY FOR PRIME TIME?   IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.  
Do you need help?X

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids Received on Tue Apr 15 18:26:40 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:11 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library