Re: Rapid7 and Snort....Good Things from this I think

[Martin Holste <mcholste () gmail com>]

> i guess it would enhance RNA? There is only so much you can detect
> sniffing traffic passively. If you can import credentialed vuln
> information, your RNA recommended rules would be pretty tight.
All very true, though this only applies to the signatures which detect
exploits on the wire.  (If Snort rules which look for exploitation
were tagged "exploit," then it would be easy to find out how many
rules could be automatically tuned out by knowing to which exploits
you're vulnerable.)  As it stands, it would be somewhat tricky to
definitively identify all such rules, though grepping for "exploit"
would probably get you a ballpark figure as to the CPU savings the
coupling could provide.

I should also point out that one would be putting a lot of faith in
any company, Rapid7 included, to be accurate in their testing enough
to confidently stop looking for exploits on the wire.  If the Rapid7
check failed to detect an existing vulnerability through either the
test or result administration, then if you either disabled the
corresponding exploit rule or disregarded an uncorrelated alert, you
would fail to act on a successful exploit.

Caveats aside, it's definitely a nice addition.

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users