Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Announcement: Alert Verification for Snort

Re: Announcement: Alert Verification for Snort

From: Konrad Rieck <kr_at_roqe.org>
Date: Thu, 23 Oct 2003 12:03:13 +0200

Hi,

On Wed, 2003-10-22 at 03:16, Christopher Kruegel wrote:
> The idea is to actively probe for the vulnerability that is exploited by
> a certain detected attack. When the victim is not vulnerable, the
> alert can be simply discarded or tagged with a low priority.

I am a little bit confused by this solution.

If Snort or any IDS reports an alert with CVE number, and the
corresponding probe (in your case a NASL script) doesn't detect a
vulnerability, can you ensure that there isn't one?

I wouldn't discard alerts or lower their priority, just because one of
thousand code snippets failed to exploit a vulnerability on a specific
system in a specific environment -- others might do.

Just my 2 Cents.

Regards,
Konrad 

-- 
 Konrad Rieck <kr@roqe.org> - http://people.roqe.org/kr 
 PGP: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3

Received on Oct 23 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos