Active alert verification is a technique designed to reduce the false positive rate of IDSs by actively probing for a vulnerability associated with detected attacks. If the vulnerability corresponding to a detected attack is found to exist in the host or network against which the attack was directed, the alert is generated, invoking any logging and response functions as normal. If, however, the vulnerability is determined not to exist, the alert is considered a false positive and is suppressed.

Our current implementation of alert verification is as a patch to Snort using the general algorithm outlined above. The verification component of the system is currently implemented as a set of NASL scripts mapped to Snort rules by CVE IDs. When a rule is triggered, the suspect packet and associated event data is queued for verification. A separate thread processes queued unverified alerts by running an associated NASL script against the target host to test for the presence or absence of the vulnerability corresponding to the detected attack. If the NASL script determines that the vulnerability does exist on the target host, the alert is marked as having been verified. If the NASL script determines that the vulnerability does not exist, the alert is marked as unverified. Finally, if no NASL script corresponding to the detected attack is found, the alert is marked as unverifiable. The alert is then released back to the Snort engine.



The latest patch against Snort may be downloaded here.

This patch requires the various components of the Nessus vulnerability scanner to perform its alert verification. However, the technique could be implemented using a variety of different backends which could be selected according to the specific target, vulnerability, etc.



Also, the patch currently limits the modified Snort build to non-Win32 systems, as the threading code has not been ported.