Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vuln scoring system anyone?

From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Mar 2005 16:00:55 -0500 (EST)

: > What if someone posts to an incident list that they got owned by
: > this vuln, but the vendor hasn't ack'd it?
: 
: I wouldn't trust randoms on an incident list to know what
: vulnerability caused the incident they are investigating.
: 
: If you see an email to bugtraq saying:
:     "I found a vuln in SSH."
: 
: And someone else sends an email to incidents:
:     "I only run SSH and got owned via SSH."
: 
: Then you've got a new confirmed vulnerability?  Not hardly.

Of course not. But some of the folks on the incidents lists are bright 
people. If they show traces and logs and supporting evidence that the 
compromise occured via the same service reported vulnerable days prior, it 
stands a good chance to be related.

What if someone posted a Snort signature for a new vuln before a vendor 
ack'd it? You have no proof that its a valid vulnerability yourself, but 
you have a detailed advisory from a reputable security researcher and a 
respected snort sig writer that tested the vulnerability and wrote a 
signature to monitor for exploitation. 

That has to count for something, yes?
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: