[logs] too many false alarms

Greg Dotoli gldotoli at yahoo.com
Fri Jan 25 05:08:39 PST 2008 

The biggest thing to worry about is the

False Negative: 

 An IDS that fails to alert on a legitimate threat.




--- "Marcus J. Ranum" <mjr at ranum.com> wrote:

> Jon Stearley wrote:
> >what false alarm rate do you tolerate for your
> current monitoring  
> >system?  is 1 false alarm in 4 ok?  1 in 10?  1 in
> 100?
> 
> Let's make sure we're talking about the same thing,
> first.
> 
> "False positive" is when the sensor/IDS/monitor
> raises an alert that
>         is wrong. An example of a false positive
> would be if your
>         web site got slashdotted and your IDS
> altered you to a "SYN
>         flood attack."
> "False alarm" is when the sensor/IDS/monitor raises
> an alert that is
>         right, but not interesting to you, either
> because the event
>         is accepted by your policy or is you have
> additional knowledge
>         that allows you to assess the alarm as
> insignificant. An example
>         of a false alarm would be if your IDS
> alerted you that someone
>         just tried a Windows/IIS-based buffer
> overrun against your Sun box
>         that's running Apache. The diagnosis is
> correct, but you may not
>         choose to care.
> 
> Given those definitions, my answers would be:
>         "as many false alarms as it generates" and
> "any"
> 
> The problem is that a lot of the time people are
> expected to put sensors
> or detectors/monitoring systems in place to monitor
> networks that are,
> basically, too permeable. So, of course, there are
> tons and tons of
> alarms. And, the sensor/IDS/monitor gets blamed for
> being "too noisy"
> when in fact the situation is that "the network's
> security sucks."
> 
> A perfect example of this would be one site I worked
> with back in the IDS
> days: they complained bitterly that the IDS
> generated "too much noise"
> but their policy was that port 80 was allowed
> unimpeded inbound access
> through their firewall. OF COURSE the IDS generated
> a lot of noise - it was
> correctly and fairly accurately identifying the
> approximately 30,000 real
> attack attempts that were being launched against
> machines on the
> customer's internal network EVERY DAY. The fun part
> was when
> management didn't like my assessment of their
> situation and sent their
> technical staff to go "get another opinion from a
> REAL IDS expert."
> 
> mjr. 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
>
http://www.loganalysis.org/mailman/listinfo/loganalysis
>

More information about the LogAnalysis mailing list