Re: Announcement: Alert Verification for Snort
From: Konrad Rieck (kr_at_roqe.org)
Date: 10/23/03
- Previous message: Martin Roesch: "Re: Announcement: Alert Verification for Snort"
- In reply to: Christopher Kruegel: "Announcement: Alert Verification for Snort"
- Next in thread: Michael Stone: "Re: Announcement: Alert Verification for Snort"
- Reply: Michael Stone: "Re: Announcement: Alert Verification for Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Focus IDS <focus-ids@securityfocus.com> Date: Thu, 23 Oct 2003 12:03:13 +0200
Hi,
On Wed, 2003-10-22 at 03:16, Christopher Kruegel wrote:
> The idea is to actively probe for the vulnerability that is exploited by
> a certain detected attack. When the victim is not vulnerable, the
> alert can be simply discarded or tagged with a low priority.
I am a little bit confused by this solution.
If Snort or any IDS reports an alert with CVE number, and the
corresponding probe (in your case a NASL script) doesn't detect a
vulnerability, can you ensure that there isn't one?
I wouldn't discard alerts or lower their priority, just because one of
thousand code snippets failed to exploit a vulnerability on a specific
system in a specific environment -- others might do.
Just my 2 Cents.
Regards,
Konrad
-- Konrad Rieck <kr@roqe.org> - http://people.roqe.org/kr PGP: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Martin Roesch: "Re: Announcement: Alert Verification for Snort"
- In reply to: Christopher Kruegel: "Announcement: Alert Verification for Snort"
- Next in thread: Michael Stone: "Re: Announcement: Alert Verification for Snort"
- Reply: Michael Stone: "Re: Announcement: Alert Verification for Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
