Re: The CVE (WAS: RE: RE: Ramping up for another review)

[gshipley () neohapsis com (Greg Shipley)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
At 03:43 AM 7/15/00 -0400, Dug Song wrote:

> no, this is the problem. they're agreeing that "apple" is a name for some
> fruit they should care about, but without any backing definition based on
> common taxonomy. vendor A could call a red delicious an apple, while
> vendor B could call an orange an apple, and they'd both be CVE-compliant.
>
> i contend that this is worthless for anything more than marketing, and may
> actually be harmful in the long run. we've basically given up on science,
> yielding instead to market-driven interoperability requirements (or at
> least claims to such). mayday, mayday!
>
> while the past vulnerability taxonomy work done at UC Davis, Purdue, and
> elsewhere wasn't exactly rocket science, it was definitely a step in the
> right direction; CVE, in comparison, seems to be a major step backwards.

Dug, you're not an religious FreeBSD user, are you?

Just checking.  :)

Ok, I hear your points (and agree with many of them) however, again, I 
think this all boils down to what *YOU* expect the CVE to do.  If you are 
looking for an IDS vendor police force, you're right, the CVE isn't 
it.  But honestly, do you really think that Cisco and ISS are going to 
screw up, say, an attack on wu-ftpd and confuse it with something else?  I 
mean, ok, I've seen some vendors do some bone-headed things but I'm not 
worried about Axent mistaking the ping of death for a Bind NXT exploit.

If you want the CVE to do this, you are right, it doesn't and it 
won't.  But I don't think it should - the IDS signature police force is 
going to have to come from some other movement (if it were to happen at all).

Tell me about the UC Davis and Purdue work, 'cause last time I looked at 
those projects they weren't going ANYWHERE (but we might not be talking 
about the same projects - can you give me URLs?).  What I was looking at a 
year ago was typical of academia land: debate the 10,000ft view and 
theoretical proofs of something until you are blue in the face and never 
implement anything worthwhile.  (sorry, Greg is a bit bitter on that front)

> Another place where the CVE can help - if all IDS vendors become CVE
> > compliant you can make sure to turn on sig X,Y, and Z and know that those
> > are the same across all products (or at least, that they are looking for
> > the same attack) while you test.
>
> not true. the only thing CVE guarantees is that a compliant implementation
> has a check for something labelled "apple" (nevermind what kind of fruit
> it actually is) - nothing more, nothing less. you could throw a granny
> smith at it instead of a red delicious, and it might miss it completely.
> or you might throw bananas at it, and have it respond with all kinds of
> nonsense about bad apples. so how is this really useful?

Again, maybe my trust has been ill-placed, but I'm not worried about 
vendors screwing this part of it up.  I'm more worried about the sig being 
logically flawed then a lack of understanding on what CVE xxx is truly 
identifying.

> if IDS vendors were really concerned with assurance and formal evaluation,
> they'd be involved in something like the international Common Criteria:
>
>         http://www.commoncriteria.org/
>
> (not that i think the CC is the end-all be-all of security evaluation,
>  but it's a lot more meaningful, imo, than something like CVE or ICSA)

I'm not qualified to comment on this one.  :)

> p.s. sorry if i've stepped on any toes here, i don't mean any offense.
>      "business never personal" -- EPMD

No toes stepped on here!  If I can dish it out, I better be ready to take 
it, yeah? :)

Thanks,

-Greg