Investigating the problem of IDS false alarms: An experimental study using Snort

  • G.C. Tjhai
  • M. Papadaki
  • S.M. Furnell
  • N.L. Clarke
Part of the IFIP – The International Federation for Information Processing book series (IFIPAICT, volume 278)

Key words

Intrusion Detection System False Alarm Snort 


  1. 1.
    Allen J, Christie A, Fithen W, McHugh J, Pickel J, Stone E (2000) State of the Practice of Intrusion Detection Technologies. Available via Software Engineering Institute. Cited 9 January 2007Google Scholar
  2. 2.
    Axelsson S (2000) The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186-205CrossRefGoogle Scholar
  3. 3.
    BASE (2007) Basic Analysis and Security Engine (BASE) Project. Available via BASE Project. Cited 25 April 2007Google Scholar
  4. 4.
    Brugger ST, and Chow J (2005) An Assessment of the DARPA IDS Evaluation Dataset Using Snort. Available via UCDAVIS department of Computer Science. Cited 2 May 2007Google Scholar
  5. 5.
    Bugtraq (2007a) Microsoft IIS 5.0 ”Translate: f” Source Disclosure Vulnerability. Available via Security Focus. Cited 9 June 2007Google Scholar
  6. 6.
    Bugtraq (2007b) Microsoft IISWebDAV HTTP Request Source Code Disclosure Vulnerability. Available via Security Focus. Cited 9 June 2007Google Scholar
  7. 7.
    Caswell B and Roesch M (2004) Snort: The open source network intrusion detection system. Available via Snort. Cited 3 October 2007Google Scholar
  8. 8.
    Chapple M (2003) Evaluating and Tuning an Intrusion Detection System. Available online: Cited 1 November 2006Google Scholar
  9. 9.
    Chyssler T, Burschka S, Semling M, Lingvall T and Burbeck K (2004) Alarm Reduction and Correlation in Intrusion Detection Systems. Available via The Department of Computer and Information Science Linkopings Universitet. rtslab/publications/2004/Chyssler04 DIMVA.pdf. Cited 15 June 2007Google Scholar
  10. 10.
    GCIA (2008) GIAC Certified Intrusion Analyst (GCIA). Available via Global Information Assurance Certification. Cited 8 May 2007Google Scholar
  11. 11.
    Koziol J (2003) Intrusion Detection with Snort, 2Rev edition. Sams Publishing, United States of AmericaGoogle Scholar
  12. 12.
    Kruegel C and Robertson W (2004) Alert Verification: Determining the Success of Intrusion Attempts, Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004). Available via Department of Computer Science, University of California, Santa Barbara. wkr/publications/dimva04verification.pdf. Cited 19 May 2007Google Scholar
  13. 13.
    Lippmann RP, Haines JW, Fried DJ, Korba J and Das KJ (2000) The 1999 DARPA off-line intrusion detection evaluatio. Computer Networks 34:579–595CrossRefGoogle Scholar
  14. 14.
    Mahoney MV and Chan PK (2003) An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In Recent Advances in Intrusion Detection (RAID2003), Lecture Notes in Computer Science, Springer-Verlag 2820:220–237Google Scholar
  15. 15.
    McHugh J (2000) Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262-294CrossRefGoogle Scholar
  16. 16.
    Mell P, Hu V, Lippmann R, Haines J and ZissmanM(2003) An Overview of Issues in Testing Intrusion Detection Systems. NISTIR 7007. Available via National Institute of Standards and Technology. Cited 7 July 2007Google Scholar
  17. 17.
    Patton S, Yurcik W and Doss D (2001) An Archilles’ Heel in Signature-Based IDS: Squealing False Positives in SNORT. Recent Advanced in Intrusion Detection (RAID), Univ. of California-Davis.Google Scholar
  18. 18.
    Ritter J (2006) Ngrep - network grep. Available via Cited 30 June 2007Google Scholar
  19. 19.
    Snort (2007a) Event Thresholding. Available via Snort. htmanuals/htmanual 2.4/node22.html. Cited 1 July 2007Google Scholar
  20. 20.
    Snort (2007b) WEB-IIS view source via translate header. Available via Snort. Cited 9 June 2007Google Scholar
  21. 21.
    Snort (2007c) WEB-MISC robots.txt access. Available via Snort. Cited 9 June 2007Google Scholar
  22. 22.
    Snort (2007d) ICMP L3retriever Ping. Available via Snort. Cited 13 June 2007Google Scholar
  23. 23.
    Tjhai GC, Papadaki M, Furnell SM and Clarke NL (2008) The problem of false alarms: Evaluation with Snort and DARPA 1999 Dataset. Submitted to TrustBus 2008, Turin, Italy, 1-5 September 2008Google Scholar
  24. 24.
    Web Server Talk (2005) L3Retriever false positives. Available via Web Server Talk. Cited 12 July 2007Google Scholar
  25. 25.
    WebDAV (2001) WebDAV Overview. Available via Sambar Server Documentation. Cited 20 June 2007Google Scholar
  26. 26.
    Zhou A, Blustein J, and Zincir-Heywood N (2004) Improving Intrusion Detection Systems Through Heuristic Evaluation. 17th Annual Canadian Conference on Electrical and Computer Engineering. jamie/pubs/PDF/Zhou+CCECE04.pdf. Cited 25 June 2007Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • G.C. Tjhai
    • 1
  • M. Papadaki
    • 1
  • S.M. Furnell
    • 1
  • N.L. Clarke
    • 1
  1. 1.The University of PlymouthUK

Personalised recommendations