IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Announcement: Alert Verification for Snort

From: Konrad Rieck <kr () roqe org>
Date: Thu, 23 Oct 2003 12:03:13 +0200
Hi,

On Wed, 2003-10-22 at 03:16, Christopher Kruegel wrote:

The idea is to actively probe for the vulnerability that is exploited by
a certain detected attack. When the victim is not vulnerable, the 
alert can be simply discarded or tagged with a low priority.


I am a little bit confused by this solution.

If Snort or any IDS reports an alert with CVE number, and the
corresponding probe (in your case a NASL script) doesn't detect a
vulnerability, can you ensure that there isn't one? 

I wouldn't discard alerts or lower their priority, just because one of
thousand code snippets failed to exploit a vulnerability on a specific
system in a specific environment -- others might do.

Just my 2 Cents.

Regards,
Konrad

-- 
 Konrad Rieck <kr () roqe org> - http://people.roqe.org/kr 
 PGP: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: