I would suggest a classification for System Scanner vulnerabilities
reports.
The vulnerabilities are now divided into low, medium and high risk, but
would be
also usefull to specify if the exploit is possible only locally or also
remotely.
Obviously in Internet Scanner this is not applicable, in fact it finds
only remotely exploitable vulnerabilities.
------------------------------------
Dott. Maurizio Erbasanta
MCP, ISS Certified
Security Service Consultant
Kammatech Consulting S.r.l.
Via Nerino, 15
20123 Milano
Italy
Tel. +39-02-8858911
Fax. +39-02-88589128
E-Mail: [EMAIL PROTECTED]
http://www.kammatech.com
-------------------------------------
-----Messaggio originale-----
Da: Gary Flynn [mailto:[EMAIL PROTECTED]]
Inviato: giovedi 28 giugno 2001 17.14
A: [EMAIL PROTECTED]
Oggetto: Vulnerability Classification Suggestion
In following up Internet Scanner vulnerability reports it would
be nice to have at least a vague idea of why the vulnerability
was flagged. False positives are counter-productive when encountered
in the numbers they are when scanning tens of thousands of
machines.
Since I presume that publishing the exact method of determining
vulnerabilities wouldn't be acceptable for competitive reasons,
how about a more general classification system that could be
included in the vulnsFound table:
1) Vulnerability flagged due to obtained version information.
2) Vulnerability flagged due to confirmed exploit.
3) Vulnerability flagged but success of exploit needs to be
confirmed.
4) Vulnerability flagged but does not commonly apply to platform.
Anyone else have any suggested classifications?
Anyone else think this would be useful?
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
smime.p7s
