TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- All, Sorry for the delayed response. In response to Steve's suggestion, the X-Force has been writing new CGI checks to return HTTP response codes in the session log file, and they are also working on updating older checks to return this information as well. As for turning on checks in policies based on OSid, this is something that we're working towards in Internet Scanner - we want to make sure that as we implement it we make it accurate and robust and take into consideration the opinions that were already expressed on this subject in ISSforum a while back. Regards, Patrick Patrick Wheeler Product Manager Internet Security Systems, Inc. 6303 Barfield Rd. Atlanta, GA 30328 ph. 404.236.2818 / fax 404.236.2614 Internet Security Systems - The Power to Protect -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 28, 2001 2:54 PM To: Gary Flynn Cc: [EMAIL PROTECTED] Subject: Re: Vulnerability Classification Suggestion TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- we have had similar problems. even when I look at the session files, I do not get the sense of what the decode was One of the high false positives we see is an unusual return code on a http get or head for cgi files, especially default install files, either the box returns an unusual return code or it is set up to be user friendly and returns a "may I help you" page thinking you typed in the wrong information. I like the categories and recommend adding return codes. I would also like the policy run to be smart enough to turn off or on exploits depending on the OS Steve Gary Flynn <[EMAIL PROTECTED]>@iss.net on 06/28/2001 11:13:32 AM Sent by: [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: (bcc: Steve Sidebottom/OH/BANCONE) Subject: Vulnerability Classification Suggestion In following up Internet Scanner vulnerability reports it would be nice to have at least a vague idea of why the vulnerability was flagged. False positives are counter-productive when encountered in the numbers they are when scanning tens of thousands of machines. Since I presume that publishing the exact method of determining vulnerabilities wouldn't be acceptable for competitive reasons, how about a more general classification system that could be included in the vulnsFound table: 1) Vulnerability flagged due to obtained version information. 2) Vulnerability flagged due to confirmed exploit. 3) Vulnerability flagged but success of exploit needs to be confirmed. 4) Vulnerability flagged but does not commonly apply to platform. Anyone else have any suggested classifications? Anyone else think this would be useful? -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
RE: Vulnerability Classification Suggestion
Wheeler, Patrick (ISSAtlanta) Wed, 18 Jul 2001 15:55:37 -0700
