[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA Rules Announcement



On Sun, 9 Oct 2016, Scott Lawler wrote:

: This level of abstraction is?well?abstract.  How do we determine what 
: should be abstracted and to what level?
: 
: This is a slippery slope to start down.
: 
: While I concur that some level of abstraction is good.  I think that 
we 
: need to carefully define for the community what level of abstraction 
is 
: appropriate.
: 
: Honestly, I?m not quite sure how to do that.  I hate to say 
case-by-base 
: but?
: 
: Ideas on how to quantify and define the right level of abstraction?

I think the best way to start is to pick out ~ 10 vulns from the past 
that fit the bill. "Protocol" vulns that were NOT due to a flaw in the 
design specs, rather the implementation (where almost every vendor got 
it 
wrong), and see how it worked out.

While many may immediately say "we don't need 100 IDs for that, it's 
confusing!" I disagree to at a certain point. When it comes to 
per-vendor 
fixes where you are applying 20 different patches, upgrades, or 
workarounds in your organization "for the same vulnerability", that is 
confusing. That one ID is no longer talking about the same 
vulnerability 
in the full scope of it (flaw, impact, and remediation).

So examining some of the past ones that were abstracted, and some that 
were not... then look at how security vendors handled it. Did they 
create 
different rules for IDS/IPS? Did vuln scanners create different 
IDs/plugins? That would also be a good one to get community feedback on.

Brian


Page Last Updated or Reviewed: October 10, 2016