NIDS Weaknesses

• Potential for many false positives

  • ex: CS “mirror” server
    • every Linux distribution includes files with “dangerous” assembly language sequences
    • NIDS detect ftp packets downloading those files...
  • ex: SNORT at CS border reported thousands of potential attacks every day