>> Is it a false positive a case where there is no rule, or the traffic >> does not match with the rule, and the engine still fires?
> This does not fit with the above definition since the alert must be > triggered by the traffic. You would be surprised in knowing that this is the only case where you're pretty sure it IS a false positive that you are looking at (a false positive of the engine itself, whereas the other examples are noncontextual alerts caused by careless configuration by the user) > Yes, if there was no attack or intrusion triggering the alert. But, why > would the user not want to be alerted if it is a real intrusion? Because maybe it is a rule firing for a real attack on a vulnerability that is not present. By the way: is this a false positive or not? :-) Do you see why I say that "false positive" is a dangerous beast to define? > With respect to using the alerts as input to our algorithm, no of these > objections are important. We just use the type of alerts as sensor data > that we want to analyze to see when the frequencies of each type of > alert diverge from what previously has been observed. And what does that imply ? Do you filter out what diverges, or do you filter out what does not diverge? How "diverging statistically" with the specific algorithm which you chose actually have any relationship with an alert being a false positive or not? > Well, there is nothing that says that there must be any difference > between a false and a true alert. That's the point, exactly. > However, assume that there are > legitimate traffic that triggers false alerts on a regular basis. Here you are: you are detecting misconfigurations and noncontextuals, not false positives ;-) As I said, it's a matter of definition. And "artificial ignorance" (as dubbed by Marcus Ranum) works using the principle you stated, but with a much simpler apparatus. If this is all you're looking for, then probably the algorithm you are using is an overkill. (and, in IDEVAL, there's probably no such traffic, unless you severely misconfigure Snort) Best, Stefano ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
