[Snort-users] Rapid7 and Snort....Good Things from this I think

Martin Holste mcholste at ...11827...
Mon Apr 11 12:34:41 EDT 2011


> i guess it would enhance RNA? There is only so much you can detect
> sniffing traffic passively. If you can import credentialed vuln
> information, your RNA recommended rules would be pretty tight.
>
All very true, though this only applies to the signatures which detect
exploits on the wire.  (If Snort rules which look for exploitation
were tagged "exploit," then it would be easy to find out how many
rules could be automatically tuned out by knowing to which exploits
you're vulnerable.)  As it stands, it would be somewhat tricky to
definitively identify all such rules, though grepping for "exploit"
would probably get you a ballpark figure as to the CPU savings the
coupling could provide.

I should also point out that one would be putting a lot of faith in
any company, Rapid7 included, to be accurate in their testing enough
to confidently stop looking for exploits on the wire.  If the Rapid7
check failed to detect an existing vulnerability through either the
test or result administration, then if you either disabled the
corresponding exploit rule or disregarded an uncorrelated alert, you
would fail to act on a successful exploit.

Caveats aside, it's definitely a nice addition.




More information about the Snort-users mailing list