Investigating the problem of IDS false alarms: An experimental study using Snort

IFIP International Federation for Information Processing

Volumn 278, Issue , 2008, Pages 253-267

  Tjhai, Gina C ^a   Papadaki, Maria ^a   Furnell, S M ^a   Clarke, N L ^a  

^a UNIVERSITY OF PLYMOUTH   (United Kingdom)

Author keywords

False alarm; Intrusion Detection System; Snort

Indexed keywords

ERRORS;

FALSE ALARMS; INTRUSION DETECTION SYSTEMS; SNORT;

INTRUSION DETECTION;

EID: 48249145157     PISSN: 15715736     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-0-387-09699-5_17     Document Type: Conference Paper

References (26)

1. Allen J, Christie A, Fithen W, McHugh J, Pickel J, Stone E (2000) State of the Practice of Intrusion Detection Technologies. Available via Software Engineering Institute. http://www.sei.cmu.edu/publications/ documents/99.reports/99tr028/99tr028abstract.html. Cited 9 January 2007
2. Axelsson S (2000) The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186-205
3. BASE (2007) Basic Analysis and Security Engine (BASE) Project. Available via BASE Project. http://base.secureideas.net/. Cited 25 April 2007
4. Brugger ST, and Chow J (2005) An Assessment of the DARPA IDS Evaluation Dataset Using Snort. Available via UCDAVIS department of Computer Science. http://www.cs.ucdavis.edu/research/tech-reports/2007/ CSE-2007-1.pdf. Cited 2 May 2007
5. Bugtraq (2007a) Microsoft IIS 5.0 "Translate: F" Source Disclosure Vulnerability. Available via Security Focus. http://www.securityfocus.com/bid/1578. Cited 9 June 2007
6. Bugtraq (2007b) Microsoft IISWebDAV http Request Source Code Disclosure Vulnerability. Available via Security Focus. http://www.securityfocus.com/bid/14764. Cited 9 June 2007
7. Caswell B and Roesch M (2004) Snort: The open source network intrusion detection system. Available via Snort. http://www.snort.org/. Cited 3 October 2007
8. Chapple M (2003) Evaluating and Tuning an Intrusion Detection System. Available online: SearchSecurity.com. http://searchsecurity.techtarget.com. Cited 1 November 2006
9. Chyssler T, Burschka S, Semling M, Lingvall T and Burbeck K (2004) Alarm Reduction and Correlation in Intrusion Detection Systems. Available via The Department of Computer and Information Science Linkopings Universitet. http://www.ida.liu.se/rtslab/publications/2004/ Chyssler04_DIMVA.pdf. Cited 15 June 2007
10. GCIA (2008) GIAC Certified Intrusion Analyst (GCIA). Available via Global Information Assurance Certification. http://www.giac.org/ certifications/security/gcia.php. Cited 8 May 2007
11. Koziol J (2003) Intrusion Detection with Snort, 2Rev edition. Sams Publishing, United States of America
12. Kruegel C and Robertson W (2004) Alert Verification: Determining the Success of Intrusion Attempts, Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004). Available via Department of Computer Science, University of California, Santa Barbara. http://www.cs.ucsb.edu/wkr/publications/ dimva04verification.pdf. Cited 19 May 2007
13. Lippmann RP, Haines JW, Fried DJ, Korba J and Das KJ (2000) The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34:579-595
14. Mahoney MV and Chan PK (2003) An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In Recent Advances in Intrusion Detection (RAID2003), Lecture Notes in Computer Science, Springer-Verlag 2820:220-237
15. McHugh J (2000) Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262-294
16. Mell P, Hu V, Lippmann R, Haines J and Zissman M(2003) An Overview of Issues in Testing Intrusion Detection Systems. NISTIR 7007. Available via National Institute of Standards and Technology. http://csrc.nist.gov/ publications/nistir/nistir-7007.pdf. Cited 7 July 2007
17. Patton S, Yurcik W and Doss D (2001) An Archilles' Heel in Signature-Based IDS: Squealing False Positives in SNORT. Recent Advanced in Intrusion Detection (RAID), Univ. of California-Davis.
18. Ritter J (2006) Ngrep - network grep. Available via SourceForge.net. http://ngrep.sourceforge.net. Cited 30 June 2007
19. Snort (2007a) Event Thresholding. Available via Snort. http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node22.html. Cited 1 July 2007
20. Snort (2007b) WEB-IIS view source via translate header. Available via Snort. http://snort.org/pub-bin/sigs.cgi?sid=1042. Cited 9 June 2007
21. Snort (2007c) WEB-MISC robots.txt access. Available via Snort. http://www.snort.org/pub-bin/sigs.cgi?sid=1:1852. Cited 9 June 2007
22. Snort (2007d) ICMP L3retriever Ping. Available via Snort. http://www.snort.org/pub-bin/sigs.cgi?sid=1:466. Cited 13 June 2007
23. Tjhai GC, Papadaki M, Furnell SM and Clarke NL (2008) The problem of false alarms: Evaluation with Snort and DARPA 1999 Dataset. Submitted to TrustBus 2008, Turin, Italy, 1-5 September 2008
24. Web Server Talk (2005) L3Retriever false positives. Available via Web Server Talk. http://www.webservertalk.com/message893082.html. Cited 12 July 2007
25. WebDAV (2001) WebDAV Overview. Available via Sambar Server Documentation. http://www.sambar.com/syshelp/webdav.htm. Cited 20 June 2007
26. Zhou A, Blustein J, and Zincir-Heywood N (2004) Improving Intrusion Detection Systems Through Heuristic Evaluation. 17th Annual Canadian Conference on Electrical and Computer Engineering. http://users.cs.dal.ca/_jamie/pubs/PDF/Zhou+CCECE04.pdf. Cited 25 June 2007