[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PROPOSAL: Cluster 25 - IDS (5 candidates)
- To: cve-editorial-board-list@lists.mitre.org
- Subject: PROPOSAL: Cluster 25 - IDS (5 candidates)
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Date: Mon, 26 Jul 1999 20:56:33 -0400 (EDT)
- Sender: owner-cve-editorial-board-list@lists.mitre.org
The following candidates deal with some implementation problems in IDSes, as outlined in the paper by Ptacek and Newsham (see http://www.nai.com/nai_labs/asp_set/advisory.asp). They identify problems in IDSes that can allow an attacker to escape detection. Note that these candidates do not include some of the inherent problems in the design of the IDSes themselves that are related to ambiguities in the TCP/IP protocol specifications, e.g. needing to know how the target's OS reassembles packets in order to accurately reconstruct the session. Should such design limitations be included in the CVE? - Steve Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0598 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection. VOTE: ================================= Candidate: CAN-1999-0599 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers. VOTE: ================================= Candidate: CAN-1999-0600 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not verify the checksum on a packet. VOTE: ================================= Candidate: CAN-1999-0601 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets. VOTE: ================================= Candidate: CAN-1999-0602 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly reassemble fragmented packets. VOTE:
- Follow-Ups:
- Re: PROPOSAL: Cluster 25 - IDS (5 candidates)
- From: Adam Shostack <adam@netect.com>
- Re: PROPOSAL: Cluster 25 - IDS (5 candidates)
- Prev by Date: PROPOSAL: Cluster 24 - FINGER (6 candidates)
- Next by Date: RE: PROPOSAL: Cluster 25 - IDS (5 candidates)
- Prev by thread: Re: PROPOSAL: Cluster 24 - FINGER (6 candidates)
- Next by thread: Re: PROPOSAL: Cluster 25 - IDS (5 candidates)
- Index(es):
