With so many different people writing these scripts, there will be some degree of varying subjectivity for the assignment of severity level that will not be able to be factored out. However if there were a limited group of terms to choose from, each one indicative of a unique severity level, would do a lot to limit that. What exact terms that are valid NESSUS severity levels should be defined and adhered to, IMO. Without this being in place there is only a vague common point of reference for severity level. Valid assignments should be limited to something like "high", "medium", "low", "none" for example. And if one were to submit something that deviated from that, it would either be rejected until corrected or reassigned to the valid severity that seemed the most appropriate. As far as I can tell the actual term(s) used to describe severity are at the whim of the writer of the script. If memory serves, I've seen "critical", "high", "very high", "severe", "low", "medium-high", "none" and there are probably a handful of others. When a script is submitted, certain things should be reviewed. Whether CVE assignments are valid and if the assigned severity adheres to the established standard (when and if one gets established) should be two of the things reviewed, IMO. Otherwise one is left wondering if "critical", "high", and "very high" are the same or are they different? Especially since it may be very possible that the scripts were written by 3 different people. What if there is no severity assigned?
Just a thought. ~Kevin Davis� What could possibly go wrong? ----- Original Message ----- From: "Michel Arboi" <[EMAIL PROTECTED]> To: "Fu, Huihsing (Huihsing)" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, November 13, 2002 4:58 AM Subject: Re: Question on nessus results > "Fu, Huihsing (Huihsing)" <[EMAIL PROTECTED]> writes: > > > 1. How is severity determined? > > Mmmm... Although this is a common question, I wonder if the answer > should be in the FAQ :-\ > There is *no* norm for severity or risk. > > > 2. The severity is either high or low. Is there a medium? > > Not sure. But I've seen "extreme" in one script at least and "None" in > several information gathering scripts. > - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
