Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Chad Skipper (cskippersymantec.com)
Date: Wed May 30 2001 - 12:42:05 CDT
> Robert wrote:
>How would you validate a half scan? What I mean is a potential attacker
>conducting the first part of an attack which shows up in the NIDS/HIDS but
>is never completed. The attacker has gained some information about the
>targeted network based on the responses (or lack) and may be using that
>information for a later full attack.
>Shouldn't this be considered a false positive? Or would (should) it be
>added to the db for later correlation?
This is exactly what I meant when I said "Of course this all depends on the
solution you are looking for. Do you want to know about all the "door
rattlers" or just the successful attacks. In any case both solution can be
I personally think that half scans are NOT false positives. If this half
scan does trigger the alert, then the sensor has done its job. It has
alerted you that an attack has been attempted. Most signatures look for the
complete session of the attack and therefore would *probably* only alert on
the succession of the attack. If there were a signature for a half scan,
then this would need to be correlated with the other sensors and DB.
Again, there are thousands of possibilities here. Using AI within security
products will be different for each organization. This is all conceptual.
Just putting my thoughts into cyberspace.
Chad R. Skipper
Sr. Software Engineer
Robert Kinsey - VIS
Contractor To: IDS-FocusList <FOCUS-IDSsecurityfocus.com>
ly.af.mil> Subject: Re: Definition of false positive
05/30/2001 08:00 AM
I have a question on part of Chad's response.
How would you validate a half scan? What I mean is a potential attacker
conducting the first part of an attack which shows up in the NIDS/HIDS but
is never completed. The attacker has gained some information about the
targeted network based on the responses (or lack) and may be using that
information for a later full attack.
Shouldn't this be considered a false positive? Or would (should) it be
added to the db for later correlation?
-- ROBERT KINSEY - Analyst Virus Analysis Team AFCERT