From: Sam f. Stover (sstoveratrc.sytexinc.com)
Date: Thu Oct 23 2003 - 19:31:10 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday, October 23, 2003, at 07:03 PM, Christopher Kruegel wrote:

> From a theoretical point of view, I think that Marty is right and his
> classification is correct.

I probably agree with you both "theoretically". However, I was talking
about what actually happens to real users. I used to work for an IDS
vendor, and I know how much of a glass bubble it can be. Out in the
"real world" however, theory is vastly different than practice.

> In fact, we had a discussion about whether 'alert verification' was
> the correct term to use. We then concluded that most people don't care
> why they spent time looking at an alert that doesn't matter to them
> and that they refer to such alerts in general as false positives.

This is *not* my experience. I personally get extremely annoyed if
it's my fault (or the fault of the tool I chose to employ) that leads
me on a wild goose chase. I want my IDS to learn with me, not
constantly provide me with the same level of annoyance. It needs to
evolve.

> That's why we used the terminology that we did.

That's cool. I know my opinion doesn't really matter in the end. I
just thought I'd contribute my experiences. ;-)

____
S.f.Stover
sstoveriwc.sytexinc.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP5hy2OsF2+1t3gPDEQIqHgCfZErUzVCfVNSBWis85ladTWcbnDgAnAiY
tFrGiJxPiWm1uWI4hR0gs6uP
=FaHp
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]