Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Announcement: Alert Verification for Snort
From: Sam f. Stover (sstoveratrc.sytexinc.com)
Date: Thu Oct 23 2003 - 19:31:10 CDT
On Thursday, October 23, 2003, at 07:03 PM, Christopher Kruegel wrote:
> From a theoretical point of view, I think that Marty is right and his
> classification is correct.
I probably agree with you both "theoretically". However, I was talking
about what actually happens to real users. I used to work for an IDS
vendor, and I know how much of a glass bubble it can be. Out in the
"real world" however, theory is vastly different than practice.
> In fact, we had a discussion about whether 'alert verification' was
> the correct term to use. We then concluded that most people don't care
> why they spent time looking at an alert that doesn't matter to them
> and that they refer to such alerts in general as false positives.
This is *not* my experience. I personally get extremely annoyed if
it's my fault (or the fault of the tool I chose to employ) that leads
me on a wild goose chase. I want my IDS to learn with me, not
constantly provide me with the same level of annoyance. It needs to
> That's why we used the terminology that we did.
That's cool. I know my opinion doesn't really matter in the end. I
just thought I'd contribute my experiences. ;-)
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
-----END PGP SIGNATURE-----