Vulnerability Manager: Tracking Attacks

One of the things we added shortly before the Vulnerability Manager Technology Preview release was the ability to track attacks that were firing previously-generated IDS/IPS or WAF rules.  Right now this only works for generated Snort rules, but it should be pretty straightforward to extend to other supported IDS/IPS and WAFs.

Basically, each rule that is generated receives a unique identifier.  When the rules fire the rule identifier is included in the log message.  By uploading these logs to Vulnerability Manager we can parse out alerts associated with rules we generated and associate those with the original vulnerabiltity that spawned the rule.

This is handy because it provides some visibility into vulnerabilities in your applications that are actually being attacked.  Based on this data you might choose to prioritize certain vulnerabilities over others for code-level remediation.

Right now you have to manually upload the log files to Vulnerability Manager.  We have talked with other IDS/IPS and WAF vendors and one suggestion has been to add syslog support so that is something we are considering for the future.  We could also programmatically SCP log files off of sensors with a little bit of effort.  So although this is a manual process right now it should be easy to automate in the future.

Contact us for more info about prioritizing vulnerabilities for remediation.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *