IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: Konrad Rieck <kr () roqe org>
Date: Thu, 23 Oct 2003 12:03:13 +0200
Hi, On Wed, 2003-10-22 at 03:16, Christopher Kruegel wrote:
The idea is to actively probe for the vulnerability that is exploited by a certain detected attack. When the victim is not vulnerable, the alert can be simply discarded or tagged with a low priority.
I am a little bit confused by this solution. If Snort or any IDS reports an alert with CVE number, and the corresponding probe (in your case a NASL script) doesn't detect a vulnerability, can you ensure that there isn't one? I wouldn't discard alerts or lower their priority, just because one of thousand code snippets failed to exploit a vulnerability on a specific system in a specific environment -- others might do. Just my 2 Cents. Regards, Konrad -- Konrad Rieck <kr () roqe org> - http://people.roqe.org/kr PGP: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Announcement: Alert Verification for Snort, (continued)
- Re: Announcement: Alert Verification for Snort Ron Gula (Oct 23)
- Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
- Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
- Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
- Re: Announcement: Alert Verification for Snort Raistlin (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
- Re: Announcement: Alert Verification for Snort Stephen P. Berry (Oct 24)
- Re: Announcement: Alert Verification for Snort Bill Royds (Oct 24)
- Re: Announcement: Alert Verification for Snort Konrad Rieck (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)
- RE: Announcement: Alert Verification for Snort Andrew Hall (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 24)
- RE: Announcement: Alert Verification for Snort PPowenski (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Richard Bejtlich (Oct 24)