IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE selection for IDS/IPS signature rules

From: Jose Nazario <jose () monkey org>
Date: Tue, 3 Jun 2008 16:24:48 -0400 (EDT)
an earlier comment from ron gula touched on how some vulns are remote etc. as of a few days ago, here's some quick numbers around the "range" element (where the attack can be mounted from) from the NVD, which annotates CVE entries. note that some attacks can have multipe range attributes. 

nvd=# SELECT range_type, count(range_type) from range group by range_type;
  range_type   | count
---------------+-------
 local         |  5368
 remote        | 19697
 user_init     |  3121
 network       |  6929
 local_network |   114
(5 rows)

data from http://nvd.nist.gov/, imported into a local SQL database for
use.

________
jose nazario, ph.d.                 http://monkey.org/~jose/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: