Saturday, January 28, 2006
Squealing False Positives in SNORT
The vulnerability that has been reported against SNORT is quite serious. The issue of false positives has been a big issue in the intrusion detection arena from the early systems. However, the issue that is addressed in this paper is specific to packet-based network monitoring systems as the actual vulnerability is about manipulating network packets. The report says “The limitation is not the ability to accurately detect misuse behavior but rather the ability to suppress false alarms”. This is a major issue in signature based intrusion detection systems. The reason for this is the approach taken by most these tools on pattern matching and SNORT does the same. When the attacker decides to generate malicious packets at their own will then the systems capabilities are not sufficient to distinguish the difference between the real and the fake one. How these could be over come is still a question. Because SNORT is a simple tool by design implementing knowledge on how to discriminate real and fake packets will become and overhead in it’s implementation. However, this issue should be addressed by commercial IDS that are also based on packet based network monitoring as customers will not be happy to get bogged by false alarms after spending thousands of dollars for their NIDS
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment