Re: False positives, negatives and don't cares

A very thought-provoking note (no surprise there).

I think it's fair to distinguish genuine false-positives (result of flawed analysis/sigs/whatever triggering on truly legit traffic) from irrelevent-to-local-context attacks.

And I agree that these irrelevent-to-local-context attacks can produce useful intelligence.

But to my tastes, a more exciting way to approach things is to programmatically weed the sig set down, resulting in small enough analytic sets to allow very fast processing.

[ Disclaimer re following: I've looked at the product, but not   actually used it. ]

I think nCircle has a pretty sexy product in that vein; they've worked on non-disruptive automated vuln scanning, and coupled that to an IDS engine that's used to watch for attempts to exploit apparently-vulnerable servers. So on a sufficiently tightly-tuned plant, the IDS engine would normally not be active; it'd only begin looking for a small number of sigs when a config error opens a vuln, and would only remain active until admins respond to the alerts and plug the holes.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-Bennett