[
https://bro-tracker.atlassian.net/browse/BIT-1411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22010#comment-22010
]
Seth Hall commented on BIT-1411:
--------------------------------
I forgot to reply to the other half of Vern's original comment. The intent for
this detection being split into two like it is, is to enable some fancier
detection and mitigations. By splitting the detection in two we can actually
detect a host being attacked even if every single attack is coming from a
different IP address and generally knowing who the attacker is in that case is
difficult. Eventually the plan is to enable reactions to attacks by denying
service quickly to external hosts with a greatly reduced threshold because
presumably the host would only begin to be protected once it's under an ongoing
attack.
> SQL_Injection_Victim is a misleading name
> -----------------------------------------
>
> Key: BIT-1411
> URL: https://bro-tracker.atlassian.net/browse/BIT-1411
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Reporter: Vern Paxson
>
> I suggest changing the name of this notice to {{SQL_Injection_Target}}.
> Having "victim" in the name implies to me that the attack succeeded, which is
> not what the associated logic is about.
> Indeed, I even wonder if this notice is useful. The information should be
> directly available from {{SQL_Injection_Attacker}} notices (though it doesn't
> appear to be currently set up to provide this - why not?).
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-04-018#70102)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
