Re: Announcement: Alert Verification for Snort
From: Konrad Rieck (kr_at_roqe.org)
To: Focus IDS <firstname.lastname@example.org> Date: Thu, 23 Oct 2003 12:03:13 +0200
On Wed, 2003-10-22 at 03:16, Christopher Kruegel wrote:
> The idea is to actively probe for the vulnerability that is exploited by
> a certain detected attack. When the victim is not vulnerable, the
> alert can be simply discarded or tagged with a low priority.
I am a little bit confused by this solution.
If Snort or any IDS reports an alert with CVE number, and the
corresponding probe (in your case a NASL script) doesn't detect a
vulnerability, can you ensure that there isn't one?
I wouldn't discard alerts or lower their priority, just because one of
thousand code snippets failed to exploit a vulnerability on a specific
system in a specific environment -- others might do.
Just my 2 Cents.
-- Konrad Rieck <email@example.com> - http://people.roqe.org/kr PGP: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3
- application/pgp-signature attachment: This is a digitally signed message part