Before discussing Snort rules specifically, I need to briefly mention the concept of false positives. In common security language, a false positive is considered to be an alert that does not represent a real security concern. For example, one or more of the following could be considered false positives:
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
- An IDS reports an attack that targets Microsoft IIS Web servers, but the attack is directed against an Apache Web server.
- An IDS reports seeing an event that shows syntax used in an attack, but the syntax is used in a benign manner by an authorized user.
- An IDS reports seeing a security event, but the traffic it believes it saw never actually occurred on the wire.
By my standards, only scenario three represents an actual false positive. The IDS was told to provide an alert when detecting a certain traffic pattern. Although that pattern did not pass on the wire, the IDS reported an alert. That is a significant problem and can be justified as a false positive.
I don't consider scenarios one and two to be false positives. If an operator tells an IDS to detect an event that matches certain characteristics, and the IDS performs that role properly, there is no false positive. I would blame the rule writer, IDS operator, and/or the IDS developer for setting the rule that resulted in the undesirable alert. There is little point blaming the tool for doing what it was told to do.
Snort Report -- IDS Snort rules
Introduction
False positives
Sourcefire rules
Bleeding Edge Threats rules
Acquiring Snort rules
Activating Snort rules
Loading rules
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.
This was first published in April 2007