[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: Sources: Full and Partial Coverage

To : Carsten Eiram < che@secunia.com >
Subject : RE: Sources: Full and Partial Coverage
From : security curmudgeon < jericho@attrition.org >
Date : Tue, 26 Jun 2012 02:43:23 -0500
CC : "'cve-editorial-board-list'" < cve-editorial-board-list@LISTS.MITRE.ORG >
Delivery-Date : Tue Jun 26 03:46:14 2012
In-Reply-To : < F4A3A6029AA9A54E8FA9BF5FB9834C790D6B8DF2@exch-hq-1.secunia.local >
List-Help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-Owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-Subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-Unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : <2F43C4D2BE8AD24C8AC17D8C64B379B316BE3E@IMCMBX01.MITRE.ORG> <ED311CBEE6993C428563DEDF6D083BC83E4ABFE7@usilms113b.ca.com> <alpine.LNX.2.00.1205091307280.10340@forced.attrition.org> <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> < F4A3A6029AA9A54E8FA9BF5FB9834C790D6B76DF@exch-hq-1.secunia.local > < 4FE8B0EC.1020802@cert.org > < alpine.LNX.2.00.1206251359490.16752@forced.attrition.org > < F4A3A6029AA9A54E8FA9BF5FB9834C790D6B8DF2@exch-hq-1.secunia.local >
Sender : < owner-cve-editorial-board-list@LISTS.MITRE.ORG >
User-Agent : Alpine 2.00 (LNX 1167 2008-08-23)

On Tue, 26 Jun 2012, Carsten Eiram wrote:

: > We're fairly ghetto, but OSVDB does a *lot* of source monitoring by hand.
:
: It takes a fair amount of manual labour to do it properly. Naturally, we
: don't sit in a browser visiting a huge list of sites every single day.
: We have robots monitoring mailing lists and web sites, checking for new
: discussions/content with certain keywords or new links.

Right. We have a weighted system based on the source, for priority in
checking the source. ICS-CERT and Adobe are 'priority 1' for example,
where low end software changelogs and bugtrackers are 'priority 9'.
Regardless, we rely on a person looking at the sources.

: > : 5. Have set searches for phrases that indicate important vulnerabilities
: > : ("overflow", "XSS", etc).
:
: That's one of the approaches we follow. Using that approach you, of
: course, need a solid list of keywords to ensure proper coverage. If you
: want to cover non-English sites you either need the same keywords in
: those languages as well or first run the monitored sites through a
: translation service e.g. Google Translate, hoping that it gets the
: translation right to trigger the keyword matches. It's a solid way to
: generate hits for further processing.

This is definitely a weakness for the automated parsing. Right now my
parser is only good for English and French. The list of keywords I believe
is robust. I had a solid list for several years, and then Steve Christey
contributed his list which almost doubled my own. It generates a
substantial amount of false positives, but I believe it is worth it as the
false negatives are likely much smaller.

References :
- RE: Sources: Full and Partial Coverage
  - From: Carsten Eiram <che@secunia.com>
- Re: Sources: Full and Partial Coverage
  - From: Art Manion <amanion@cert.org>
- Re: Sources: Full and Partial Coverage
  - From: security curmudgeon <jericho@attrition.org>
- RE: Sources: Full and Partial Coverage
  - From: Carsten Eiram <che@secunia.com>

Prev by Date: RE: Sources: Full and Partial Coverage
Next by Date: Re: Sources: Full and Partial Coverage (CNA increase)
Prev by thread: RE: Sources: Full and Partial Coverage
Next by thread: RE: Sources: Full and Partial Coverage
Index(es):
- Date
- Thread