El miÃ, 25 de 08 de 2004 a las 04:42, Charles Heselton escribiÃ:
On Sun, 22 Aug 2004 13:37:22 +0800, Lily <xiaoche111@hotmail.com> wrote:
hi,all
I am a youngling in IDS.I read some papers in network this days and the
more I read the little I understand.Because there are so many researching
area in IDS and I dont know what I'll do.There are some questions below:
Keep reading. ;)
1.If the false alarm rates have being resloved now?I think its a
essential premise of the area of "response mechanism of IDS" that I want to
research,do you think so?
False alarms depend upon the accuracy of your signatures, and the
peculiarity of your traffic. If the traffic in your environment is
out of RFC standard, but is considered "normal" for your environment,
it could produce a lot of false positives, especially with an anomaly
based IDS. I think that this is something that IDS will always have
to deal with. You can never have *perfect* detection.
Snort used to have a patch that was an anormality detector that could
learn from the "normal" traffic in your site and make alerts when
"strange" traffic was detected, but I think it didn't work very well
because it seems that they have quitted the development.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÃA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
