IDS false detection (time critical)

Printable View

May 13th, 2003, 11:14 AM
catch

IDS false detection (time critical)

I need credible data regarding false detection rates for some open source signature based network intrusion detection system.

I have been eyeing hogwash, but I can't seem to find any such data (and many pages regarding hogwash seem to be down which is never a good sign).

Please excuse my ignorance on this matter, I am not a network engineer, but I'd like to toss a few example COTS/Open Source IDS systems with a false detection rate of less than 1% into a proposal I am throwing together to point the engineers in the right direction.

If this is something real obvious I apologize, it is after three am and my brain has turned to tapioca trying to get this wrapped up. I don't actually need it until 5pm tomorrow, but I will have minimal time later.

Any answers before 4pm PST on May 13 would be greatly appreciated.
Thanks,

catch
May 13th, 2003, 12:07 PM
slarty

I used snort.

It is impossible to generalise in this case. It depends on many factors.

Usually you will get a very large rate of false positives if you enable every rule and do no tuning, however this will vary from system to system.

Networks which contain primarily servers will see a very small number of false positives, if any. Networks with clients will see a few. Networks with clients with P2P will see the number of real attacks swamped by all the P2P software's junk traffic.

I managed to tune an IDS on a server network such that it saw about no false positives, but the number of genuine attacks was so high that it was difficult to separate them out (100s of attacks per day sometimes, but only a few false positives)

Clearly the more rules you enable, the more false positives you will get. Nevertheless, you want to keep a maximum number of rules enabled.

The easiest way to prevent false positives is to filter out or ban P2P traffic on your network. P2P is so amazingly promiscuous it sets off nearly all the rules at once. Typical users leeching a load of stuff from P2P all day, using IM software and other funny stuff seems to generate so many types of weird packet.

Also, the rate of false positives depends on what you class as a single attack incident. Many kiddies use automated tools which set off a large number of rules all at once. Is that a single attack or multiple?

The level of IIS worm traffic is so high that you have to disable those rules in order to see anything useful at all (thousands of codered / nimda attacks per day)
May 13th, 2003, 12:34 PM
catch

I don't think I worded my question quite right... I mean what is the likelihood of valid traffic having a signature that matches evil traffic? Rules will be added dynamically and I need to ensure that legit traffic is flagged as minimally as possible. Are there ways of making the signatures more exact? In this case missing evil data isn't as impactful as not catching safe data and I realize this is an unusual situation.
I don't need to work out the nuts and bolts of this, just some vague gernal data. Hogwash is based on Snort so I suspect it should be similar enough...

thank you for your reply however. :)

catch
May 13th, 2003, 03:30 PM
gold eagle

I'll suggest NSW dragon squire. Slarty well advised that, like any product or solution, it all depends on how you set it up. Get some consulting advice if you are not up on the engineering side of things. You may wish to consider other products and have a run off demo.

Obviously, no source of IDS is excited about publishing their false positive and negative ratings.
May 13th, 2003, 04:15 PM
Networker

In ur proposal what type of IDS are u including?
Heuristics-based IDS or rule-based IDS (snort is a rule based model)?

Heuristics-based models are obviously highly susceptible to false positive.

Rule-based are using string pattern recognition as signature (to detect exploit & buffer overflow ), TCP & IP observation for IP spoofing and scan detection.
The string pattern recognition is sensible to false alarm. The great danger is the false alarm attack. Signatures are well known from customer...and attacker.
It's easy to forge packet that match well-known rules.

As said previously, u'll have to make a compromise between the list of signature & the risk of false positive. I don't believe that anyone can guarantee a threshold of false positive!
May 13th, 2003, 04:59 PM
slarty

Call me stupid,

but if you forge a packet with a signature of an attack, isn't that an attack itself?

A real false positive is where a legitimate allowed application inadvertently sets off a rule in good faith during normal operation.
May 13th, 2003, 05:39 PM
Networker

I guess ur right, thanx 2 u I'll improve my english.... since english is not my mother tongue
May 13th, 2003, 09:16 PM
catch

Re: IDS false detection (time critical)

I feel like I am not being heard. Default rules and such do not matter, they will all be removed anyhow. In a perfect world I would like to find:

What signature size/type X flase positive rate, their respective crossover rates as well as introduced latency. In a for every Y throughput format. (It seems like this data would be paramount, otherwise what do you people choose IDSes by? Who has the cooler logo? ;) )

Than I'd like to find what product offers signature mactching specifications of the ideal type. If no one has done this type of testing, than I'll need to include that in my proposal.

thanks,

catch
May 14th, 2003, 10:02 AM
Networker

catch:
as far as latency is concerned, a NIDS in stealth mode will not introduce any.
For HIDS I don't have a clue.
May 14th, 2003, 10:13 AM
slarty

As far as latency is concerned, you may (depending on your existing configuration) need to add another switch or hub (hub more likely) to your network.

This would introduce however much latency is associated with that hub (i.e. not very much)

The IDS itself won't cause any latency because it just listens.