OVAL Definitions for Wireshark

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

OVAL Definitions for Wireshark

sprabhu
Submitting  OVAL Definitions for Multiple Vulnerabilities in Wireshark.
Inventories for : Wireshark
Thanks & Regards,
Prabhu.S.A
www.secpod.com
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  <generator>
    <oval:product_name>The OVAL Repository</oval:product_name>
    <oval:schema_version>5.6</oval:schema_version>
    <oval:timestamp>2009-11-17T05:52:44.512-05:00</oval:timestamp>
  </generator>
  <definitions>
    <definition id="oval:org.secpod.oval:def:91039" version="1" class="inventory">
      <metadata>
        <title>Wireshark is intalled on the system.</title>
        <affected family="windows">
          <platform>Microsoft Windows 2000</platform>
          <platform>Microsoft Windows XP</platform>
          <platform>Microsoft Windows Server 2003</platform>
          <platform>Microsoft Windows Vista</platform>
          <platform>Microsoft Windows 7</platform>
          <product>Wireshark</product>
        </affected>
        <reference source="CPE" ref_id="cpe:/a:wireshark:wireshark"/>
        <description>Wireshark is installed on the system.</description>
        <oval_repository>
          <dates>
            <submitted date="2009-11-17T15:11:12">
              <contributor organization="SecPod Technologies">Prabhu S A</contributor>
            </submitted>
          </dates>
          <status>INITIAL SUBMISSION</status>
        </oval_repository>
      </metadata>
      <criteria operator="OR">
        <criteria operator="AND">
          <criteria operator="OR">
            <extend_definition comment="Microsoft Windows XP (x86) SP2 is installed" definition_ref="oval:org.mitre.oval:def:754"/>
            <extend_definition comment="Microsoft Windows XP (x86) SP3 is installed" definition_ref="oval:org.mitre.oval:def:5631"/>
            <extend_definition comment="Microsoft Windows Vista (32-bit) is installed" definition_ref="oval:org.mitre.oval:def:1282"/>
            <extend_definition comment="Microsoft Windows Vista (32-bit) Service Pack 1 is installed" definition_ref="oval:org.mitre.oval:def:4873"/>
            <extend_definition comment="Microsoft Windows Server 2003 SP1 (x86) is installed" definition_ref="oval:org.mitre.oval:def:565"/>
            <extend_definition comment="Microsoft Windows Server 2003 SP2 (x86) is installed" definition_ref="oval:org.mitre.oval:def:1935"/>
            <extend_definition comment="Microsoft Windows 2000 is installed" definition_ref="oval:org.mitre.oval:def:85"/>
            <extend_definition comment="Microsoft Windows 7 (32-bit) is installed" definition_ref="oval:org.mitre.oval:def:6165"/>
          </criteria>
          <criterion comment="Check for version of Wireshark installed on the system" test_ref="oval:org.secpod.oval:tst:91039"/>
        </criteria>
      </criteria>
    </definition>
    <definition id="oval:org.secpod.oval:def:91040" version="1" class="vulnerability">
      <metadata>
        <title>Wireshark Integer overflow vulnerability in wiretap/erf.c</title>
        <affected family="windows">
          <platform>Microsoft Windows 2000</platform>
          <platform>Microsoft Windows XP</platform>
          <platform>Microsoft Windows Server 2003</platform>
          <platform>Microsoft Windows Vista</platform>
          <platform>Microsoft Windows 7</platform>
          <product>Wireshark</product>
        </affected>
        <reference source="CVE" ref_id="CVE-2009-3829" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3829"/>
        <description>Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability."</description>
        <oval_repository>
          <dates>
            <submitted date="2009-11-17T15:11:12">
              <contributor organization="SecPod Technologies">Prabhu S A</contributor>
            </submitted>
          </dates>
          <status>INITIAL SUBMISSION</status>
        </oval_repository>
      </metadata>
      <criteria operator="OR">
        <criteria operator="AND">
          <extend_definition comment="Wireshark is installed on the system" definition_ref="oval:org.secpod.oval:def:91039"/>
          <criterion comment="Check for version of Wireshark installed on the system is before 1.2.2" test_ref="oval:org.secpod.oval:tst:91040"/>
        </criteria>
      </criteria>
    </definition>
    <definition id="oval:org.secpod.oval:def:91041" version="1" class="vulnerability">
      <metadata>
        <title>Wireshark Off-by-one error in the dissect_negprot_response function in packet-smb.c in the SMB dissector to cause DoS Vulnerability</title>
        <affected family="windows">
          <platform>Microsoft Windows 2000</platform>
          <platform>Microsoft Windows XP</platform>
          <platform>Microsoft Windows Server 2003</platform>
          <platform>Microsoft Windows Vista</platform>
          <platform>Microsoft Windows 7</platform>
          <product>Wireshark</product>
        </affected>
        <reference source="CVE" ref_id="CVE-2009-3551" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3551"/>
        <description>Off-by-one error in the dissect_negprot_response function in packet-smb.c in the SMB dissector in Wireshark 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information."</description>
        <oval_repository>
          <dates>
            <submitted date="2009-11-17T15:11:12">
              <contributor organization="SecPod Technologies">Prabhu S A</contributor>
            </submitted>
          </dates>
          <status>INITIAL SUBMISSION</status>
        </oval_repository>
      </metadata>
      <criteria operator="OR">
        <criteria operator="AND">
          <extend_definition comment="Wireshark is installed on the system" definition_ref="oval:org.secpod.oval:def:91039"/>
          <criterion comment="Check for version of Wireshark installed on the system is 1.2.0 through 1.2.2" test_ref="oval:org.secpod.oval:tst:91041"/>
        </criteria>
      </criteria>
    </definition>
    <definition id="oval:org.secpod.oval:def:91042" version="1" class="vulnerability">
      <metadata>
        <title>Wireshark DoS Vulnerability due to the DCERPC/NT dissector</title>
        <affected family="windows">
          <platform>Microsoft Windows 2000</platform>
          <platform>Microsoft Windows XP</platform>
          <platform>Microsoft Windows Server 2003</platform>
          <platform>Microsoft Windows Vista</platform>
          <platform>Microsoft Windows 7</platform>
          <product>Wireshark</product>
        </affected>
        <reference source="CVE" ref_id="CVE-2009-3550" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3550"/>
        <description>The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information."</description>
        <oval_repository>
          <dates>
            <submitted date="2009-11-17T15:11:12">
              <contributor organization="SecPod Technologies">Prabhu S A</contributor>
            </submitted>
          </dates>
          <status>INITIAL SUBMISSION</status>
        </oval_repository>
      </metadata>
      <criteria operator="OR">
        <criteria operator="AND">
          <extend_definition comment="Wireshark is installed on the system" definition_ref="oval:org.secpod.oval:def:91039"/>
          <criterion comment="Check for version of Wireshark installed on the system is 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2" test_ref="oval:org.secpod.oval:tst:91042"/>
        </criteria>
      </criteria>
    </definition>
    <definition id="oval:org.secpod.oval:def:91043" version="1" class="vulnerability">
      <metadata>
        <title>Wireshak Denial of Service vulnerability caused by packet-paltalk.c in the Paltalk dissector</title>
        <affected family="windows">
          <platform>Microsoft Windows 2000</platform>
          <platform>Microsoft Windows XP</platform>
          <platform>Microsoft Windows Server 2003</platform>
          <platform>Microsoft Windows Vista</platform>
          <platform>Microsoft Windows 7</platform>
          <product>Wireshark</product>
        </affected>
        <reference source="CVE" ref_id="CVE-2009-3549" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3549"/>
        <description>packet-paltalk.c in the Paltalk dissector in Wireshark 1.2.0 through 1.2.2, on SPARC and certain other platforms, allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace."</description>
        <oval_repository>
          <dates>
            <submitted date="2009-11-17T15:11:12">
              <contributor organization="SecPod Technologies">Prabhu S A</contributor>
            </submitted>
          </dates>
          <status>INITIAL SUBMISSION</status>
        </oval_repository>
      </metadata>
      <criteria operator="OR">
        <criteria operator="AND">
          <extend_definition comment="Wireshark is installed on the system" definition_ref="oval:org.secpod.oval:def:91039"/>
          <criterion comment="Check for version of Wireshark installed on the system is 1.2.0 through 1.2.2" test_ref="oval:org.secpod.oval:tst:91041"/>
        </criteria>
      </criteria>
    </definition>
    <definition id="oval:org.mitre.oval:def:85" version="3" class="inventory">
      <metadata>
        <title>Microsoft Windows 2000 is installed</title>
        <affected family="windows">
          <platform>Microsoft Windows 2000</platform>
        </affected>
        <reference source="CPE" ref_id="cpe:/o:microsoft:windows_2000"/>
        <description>The operating system installed on the system is Microsoft Windows 2000.</description>
        <oval_repository>
          <dates>
            <submitted date="2006-06-26T12:55:00.000-04:00">
              <contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
            </submitted>
            <status_change date="2006-06-26T12:55:00.000-04:00">ACCEPTED</status_change>
            <modified comment="Added CPE reference." date="2007-04-30T07:48:00.142-04:00">
              <contributor organization="The MITRE Corporation">Jonathan Baker</contributor>
            </modified>
            <status_change date="2007-04-30T08:03:27.160-04:00">INTERIM</status_change>
            <status_change date="2007-05-23T15:05:53.257-04:00">ACCEPTED</status_change>
            <modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.718-04:00">
              <contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
            </modified>
            <status_change date="2008-04-04T11:29:31.741-04:00">INTERIM</status_change>
            <status_change date="2008-04-21T04:00:24.735-04:00">ACCEPTED</status_change>
          </dates>
          <status>ACCEPTED</status>
        </oval_repository>
      </metadata>
      <criteria operator="AND">
        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
        <criterion comment="Windows 2000 is installed" test_ref="oval:org.mitre.oval:tst:2"/>
      </criteria>
    </definition>
    <definition id="oval:org.mitre.oval:def:754" version="2" class="inventory">
      <metadata>
        <title>Microsoft Windows XP (x86) SP2 is installed</title>
        <affected family="windows">
          <platform>Microsoft Windows XP</platform>
        </affected>
        <reference source="CPE" ref_id="cpe:/o:microsoft:windows_xp::sp2:x86"/>
        <description>A version of Microsoft Windows XP (x86) Service Pack 2 is installed.</description>
        <oval_repository>
          <dates>
            <submitted date="2007-03-05T09:00:00">
              <contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
            </submitted>
            <status_change date="2007-03-05T09:00:00">DRAFT</status_change>
            <status_change date="2007-03-21T16:17:26.869-04:00">INTERIM</status_change>
            <status_change date="2007-04-10T13:44:28.583-04:00">ACCEPTED</status_change>
            <modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.434-04:00">
              <contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
            </modified>
            <status_change date="2008-04-04T11:29:22.458-04:00">INTERIM</status_change>
            <status_change date="2008-04-21T04:00:24.359-04:00">ACCEPTED</status_change>
          </dates>
          <status>ACCEPTED</status>
        </oval_repository>
      </metadata>
      <criteria operator="AND">
        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
        <criterion comment="a version of Microsoft Windows XP is installed" test_ref="oval:org.mitre.oval:tst:3"/>
        <criterion comment="a version of Windows for the x86 architecture is installed" test_ref="oval:org.mitre.oval:tst:3823"/>
        <criterion comment="Win2K/XP/2003 service pack 2 is installed" test_ref="oval:org.mitre.oval:tst:3019"/>
      </criteria>
    </definition>
    <definition id="oval:org.mitre.oval:def:565" version="2" class="inventory">
      <metadata>
        <title>Microsoft Windows Server 2003 SP1 (x86) is installed</title>
        <affected family="windows">
          <platform>Microsoft Windows Server 2003</platform>
        </affected>
        <reference source="CPE" ref_id="cpe:/o:microsoft:windows_2003::sp1:x86"/>
        <description>A version of Microsoft Windows Server 2003 Service Pack 1 (x86) is installed.</description>
        <oval_repository>
          <dates>
            <submitted date="2006-07-25T12:05:33">
              <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
            </submitted>
            <status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change>
            <status_change date="2006-09-27T12:29:31.197-04:00">INTERIM</status_change>
            <status_change date="2006-10-16T15:58:44.696-04:00">ACCEPTED</status_change>
            <modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.371-04:00">
              <contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
            </modified>
            <status_change date="2008-04-04T11:28:41.395-04:00">INTERIM</status_change>
            <status_change date="2008-04-21T04:00:23.334-04:00">ACCEPTED</status_change>
          </dates>
          <status>ACCEPTED</status>
        </oval_repository>
      </metadata>
      <criteria operator="AND">
        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
        <criterion comment="a version of Microsoft Windows Server 2003 is installed" test_ref="oval:org.mitre.oval:tst:4"/>
        <criterion comment="a version of Windows for the x86 architecture is installed" test_ref="oval:org.mitre.oval:tst:3823"/>
        <criterion comment="Win2K/XP/2003/Vista service pack 1 is installed" test_ref="oval:org.mitre.oval:tst:2843"/>
      </criteria>
    </definition>
    <definition id="oval:org.mitre.oval:def:5631" version="1" class="inventory">
      <metadata>
        <title>Microsoft Windows XP (x86) SP3 is installed</title>
        <affected family="windows">
          <platform>Microsoft Windows XP</platform>
        </affected>
        <reference source="CPE" ref_id="cpe:/o:microsoft:windows_xp::sp3:x86"/>
        <description>A version of Microsoft Windows XP (x86) Service Pack 3 is installed.</description>
        <oval_repository>
          <dates>
            <submitted date="2008-06-10T14:50:00">
              <contributor organization="Secure Elements, Inc.">Sudhir Gandhe</contributor>
            </submitted>
            <status_change date="2008-06-12T13:58:47.155-04:00">DRAFT</status_change>
            <status_change date="2008-06-30T04:00:18.370-04:00">INTERIM</status_change>
            <status_change date="2008-07-21T04:00:18.901-04:00">ACCEPTED</status_change>
          </dates>
          <status>ACCEPTED</status>
        </oval_repository>
      </metadata>
      <criteria operator="AND">
        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
        <criterion comment="a version of Microsoft Windows XP is installed" test_ref="oval:org.mitre.oval:tst:3"/>
        <criterion comment="a version of Windows for the x86 architecture is installed" test_ref="oval:org.mitre.oval:tst:3823"/>
        <criterion comment="Win2K/XP/2003 service pack 3 is installed" test_ref="oval:org.mitre.oval:tst:7814"/>
      </criteria>
    </definition>
    <definition id="oval:org.mitre.oval:def:4873" version="1" class="inventory">
      <metadata>
        <title>Microsoft Windows Vista (32-bit) Service Pack 1 is installed</title>
        <affected family="windows">
          <platform>Microsoft Windows Vista</platform>
        </affected>
        <reference source="CPE" ref_id="cpe:/o:microsoft:windows_vista::sp1:x86"/>
        <description>The operating system installed on the system is Microsoft Windows Vista (32-bit) Service Pack 1</description>
        <oval_repository>
          <dates>
            <submitted date="2008-03-26T10:44:02">
              <contributor organization="Secure Elements, Inc.">Sudhir Gandhe</contributor>
            </submitted>
            <status_change date="2008-03-26T16:27:29.495-04:00">DRAFT</status_change>
            <modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.108-04:00">
              <contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
            </modified>
            <status_change date="2008-04-21T04:00:20.428-04:00">INTERIM</status_change>
            <status_change date="2008-05-12T04:00:14.497-04:00">ACCEPTED</status_change>
          </dates>
          <status>ACCEPTED</status>
        </oval_repository>
      </metadata>
      <criteria>
        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
        <criterion comment="Windows Vista is installed" test_ref="oval:org.mitre.oval:tst:7914"/>
        <criterion negate="true" comment="a version of Windows for the x64 architecture is installed" test_ref="oval:org.mitre.oval:tst:3653"/>
        <criterion comment="Win2K/XP/2003/Vista service pack 1 is installed" test_ref="oval:org.mitre.oval:tst:2843"/>
      </criteria>
    </definition>
    <definition id="oval:org.mitre.oval:def:1935" version="2" class="inventory">
      <metadata>
        <title>Microsoft Windows Server 2003 SP2 (x86) is installed</title>
        <affected family="windows">
          <platform>Microsoft Windows Server 2003</platform>
        </affected>
        <reference source="CPE" ref_id="cpe:/o:microsoft:windows_2003::sp2:x86"/>
        <description>A version of Microsoft Windows Server 2003 Service Pack 2 (x86) is installed.</description>
        <oval_repository>
          <dates>
            <submitted date="2007-04-09T09:49:32">
              <contributor organization="Secure Elements, Inc.">Sudhir Gandhe</contributor>
            </submitted>
            <status_change date="2007-04-09T11:20:00.000-05:00">DRAFT</status_change>
            <status_change date="2007-04-25T19:52:21.584-04:00">INTERIM</status_change>
            <modified comment="Dropped tst:4078 in favor of existing tst:3019." date="2007-04-26T13:47:00.955-04:00">
              <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
            </modified>
            <status_change date="2007-05-23T15:05:34.661-04:00">ACCEPTED</status_change>
            <modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.742-04:00">
              <contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
            </modified>
            <status_change date="2008-04-04T11:25:17.766-04:00">INTERIM</status_change>
            <status_change date="2008-04-21T04:00:15.390-04:00">ACCEPTED</status_change>
          </dates>
          <status>ACCEPTED</status>
        </oval_repository>
      </metadata>
      <criteria operator="AND">
        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
        <criterion comment="a version of Microsoft Windows Server 2003 is installed" test_ref="oval:org.mitre.oval:tst:4"/>
        <criterion comment="a version of Windows for the x86 architecture is installed" test_ref="oval:org.mitre.oval:tst:3823"/>
        <criterion comment="Win2K/XP/2003 service pack 2 is installed" test_ref="oval:org.mitre.oval:tst:3019"/>
      </criteria>
    </definition>
    <definition id="oval:org.mitre.oval:def:1282" version="2" class="inventory">
      <metadata>
        <title>Microsoft Windows Vista (32-bit) is installed</title>
        <affected family="windows">
          <platform>Microsoft Windows Vista</platform>
        </affected>
        <reference source="CPE" ref_id="cpe:/o:microsoft:windows_vista:::x86"/>
        <description>The operating system installed on the system is Microsoft Windows Vista (32-bit)</description>
        <oval_repository>
          <dates>
            <submitted date="2007-04-11T11:27:37.975-04:00">
              <contributor organization="The MITRE Corporation">Jonathan Baker</contributor>
            </submitted>
            <status_change date="2007-04-11T12:15:00.000-04:00">DRAFT</status_change>
            <status_change date="2007-04-30T08:18:46.566-04:00">INTERIM</status_change>
            <status_change date="2007-05-23T15:05:26.800-04:00">ACCEPTED</status_change>
            <modified comment="Vista test Updated because of the conflictions with Server 2008" date="2008-03-26T10:51:02.210-04:00">
              <contributor organization="Secure Elements, Inc.">Sudhir Gandhe</contributor>
            </modified>
            <status_change date="2008-03-31T04:00:20.410-04:00">INTERIM</status_change>
            <modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.749-04:00">
              <contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
            </modified>
            <status_change date="2008-04-21T04:00:11.683-04:00">ACCEPTED</status_change>
          </dates>
          <status>ACCEPTED</status>
        </oval_repository>
      </metadata>
      <criteria>
        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
        <criterion comment="Windows Vista is installed" test_ref="oval:org.mitre.oval:tst:7914"/>
        <criterion negate="true" comment="a version of Windows for the x64 architecture is installed" test_ref="oval:org.mitre.oval:tst:3653"/>
      </criteria>
    </definition>
    <definition id="oval:org.mitre.oval:def:6165" version="1" class="inventory">
      <metadata>
        <title>Microsoft Windows 7 (32-bit) is installed</title>
        <affected family="windows">
          <platform>Microsoft Windows 7</platform>
        </affected>
        <reference source="CPE" ref_id="cpe:/o:microsoft:windows_7:::x86"/>
        <description>The operating system installed on the system is Microsoft Windows 7 (32-bit)</description>
        <oval_repository>
          <dates>
            <submitted date="2009-09-08T11:27:37.975-04:00">
              <contributor organization="Hewlett-Packard">Pai Peng</contributor>
            </submitted>
            <status_change date="2009-09-08T20:49:38.394-04:00">DRAFT</status_change>
            <status_change date="2009-09-28T04:00:16.403-04:00">INTERIM</status_change>
            <status_change date="2009-10-26T04:00:04.727-04:00">ACCEPTED</status_change>
          </dates>
          <status>ACCEPTED</status>
        </oval_repository>
      </metadata>
      <criteria>
        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
        <criterion comment="Windows 7 is installed" test_ref="oval:org.mitre.oval:tst:10792"/>
        <criterion negate="true" comment="a version of Windows for the x64 architecture is installed" test_ref="oval:org.mitre.oval:tst:3653"/>
      </criteria>
    </definition>
  </definitions>
  <tests>
    <registry_test id="oval:org.mitre.oval:tst:2" version="1" comment="Windows 2000 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:123"/>
      <state state_ref="oval:org.mitre.oval:ste:2"/>
    </registry_test>
    <registry_test id="oval:org.mitre.oval:tst:7814" version="1" comment="Win2K/XP/2003 service pack 3 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:717"/>
      <state state_ref="oval:org.mitre.oval:ste:3794"/>
    </registry_test>
    <registry_test id="oval:org.mitre.oval:tst:3" version="1" comment="a version of Microsoft Windows XP is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:123"/>
      <state state_ref="oval:org.mitre.oval:ste:3"/>
    </registry_test>
    <registry_test id="oval:org.mitre.oval:tst:2843" version="1" comment="Win2K/XP/2003/Vista service pack 1 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:717"/>
      <state state_ref="oval:org.mitre.oval:ste:2662"/>
    </registry_test>
    <registry_test id="oval:org.mitre.oval:tst:4" version="1" comment="a version of Microsoft Windows Server 2003 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:123"/>
      <state state_ref="oval:org.mitre.oval:ste:4"/>
    </registry_test>
    <registry_test id="oval:org.mitre.oval:tst:3823" version="1" comment="a version of Windows for the x86 architecture is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:1576"/>
      <state state_ref="oval:org.mitre.oval:ste:3649"/>
    </registry_test>
    <registry_test id="oval:org.mitre.oval:tst:3019" version="1" comment="Win2K/XP/2003 service pack 2 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:717"/>
      <state state_ref="oval:org.mitre.oval:ste:2827"/>
    </registry_test>
    <family_test id="oval:org.mitre.oval:tst:99" version="1" comment="the installed operating system is part of the Microsoft Windows family" check_existence="at_least_one_exists" check="only one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
      <object object_ref="oval:org.mitre.oval:obj:99"/>
      <state state_ref="oval:org.mitre.oval:ste:99"/>
    </family_test>
    <registry_test id="oval:org.mitre.oval:tst:7914" version="1" comment="Windows Vista is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:5590"/>
      <state state_ref="oval:org.mitre.oval:ste:3828"/>
    </registry_test>
    <registry_test id="oval:org.mitre.oval:tst:3653" version="2" comment="a version of Windows for the x64 architecture is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:1576"/>
      <state state_ref="oval:org.mitre.oval:ste:3180"/>
    </registry_test>
    <registry_test id="oval:org.mitre.oval:tst:10792" version="1" comment="Windows 7 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:5590"/>
      <state state_ref="oval:org.mitre.oval:ste:5027"/>
    </registry_test>
    <registry_test id="oval:org.secpod.oval:tst:91039" version="1" comment="Wireshark is installed on the system" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.secpod.oval:obj:91039"/>
      <state state_ref="oval:org.secpod.oval:ste:91039"/>
    </registry_test>
    <registry_test id="oval:org.secpod.oval:tst:91040" version="1" comment="Check for version of Wireshark installed on the system is before 1.2.2" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:6871"/>
      <state state_ref="oval:org.secpod.oval:ste:91040"/>
    </registry_test>
    <registry_test id="oval:org.secpod.oval:tst:91041" version="1" comment="Check for version of Wireshark installed on the system is 1.2.0 through 1.2.2" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:6871"/>
      <state state_ref="oval:org.secpod.oval:ste:91041"/>
    </registry_test>
    <registry_test id="oval:org.secpod.oval:tst:91042" version="1" comment="Check for version of Wireshark installed on the system is 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:6871"/>
      <state state_ref="oval:org.secpod.oval:ste:91042"/>
    </registry_test>
  </tests>
  <objects>
    <registry_object id="oval:org.mitre.oval:obj:123" version="1" comment="Registry key that hold the current windows os version" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
      <name>CurrentVersion</name>
    </registry_object>
    <registry_object id="oval:org.mitre.oval:obj:717" version="1" comment="This registry key holds the service pack installed on the host if one is present." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
      <name>CSDVersion</name>
    </registry_object>
    <family_object id="oval:org.mitre.oval:obj:99" version="1" comment="This is the default family object. Only one family object should exist." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/>
    <registry_object id="oval:org.mitre.oval:obj:5590" version="1" comment="This registry key identifies the Windows ProductName" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
      <name>ProductName</name>
    </registry_object>
    <registry_object id="oval:org.mitre.oval:obj:1576" version="1" comment="This registry key identifies the architecture on the system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SYSTEM\CurrentControlSet\Control\Session Manager\Environment</key>
      <name>PROCESSOR_ARCHITECTURE</name>
    </registry_object>
    <registry_object id="oval:org.mitre.oval:obj:6871" version="1" comment="The registry key that holds the version of he wireshark." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark</key>
      <name>DisplayVersion</name>
    </registry_object>
    <registry_object id="oval:org.secpod.oval:obj:91039" version="1" comment="The registry key that holds the version of he wireshark." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark</key>
      <name>DisplayName</name>
    </registry_object>
  </objects>
  <states>
    <registry_state id="oval:org.mitre.oval:ste:2" version="1" comment="Registry key has a value of 5.0" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value>5.0</value>
    </registry_state>
    <registry_state id="oval:org.mitre.oval:ste:3794" version="1" comment="The registry key has a value of Service Pack 3" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value>Service Pack 3</value>
    </registry_state>
    <registry_state id="oval:org.mitre.oval:ste:3" version="1" comment="The registry key has a value of 5.1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value>5.1</value>
    </registry_state>
    <registry_state id="oval:org.mitre.oval:ste:2662" version="1" comment="The registry key has a value of Service Pack 1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value>Service Pack 1</value>
    </registry_state>
    <registry_state id="oval:org.mitre.oval:ste:4" version="1" comment="The registry key has a value of 5.2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value>5.2</value>
    </registry_state>
    <registry_state id="oval:org.mitre.oval:ste:3649" version="1" comment="x86 architecture" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value>x86</value>
    </registry_state>
    <registry_state id="oval:org.mitre.oval:ste:2827" version="1" comment="The registry key has a value of Service Pack 2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value>Service Pack 2</value>
    </registry_state>
    <family_state id="oval:org.mitre.oval:ste:99" version="1" comment="Microsoft Windows family" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
      <family>windows</family>
    </family_state>
    <registry_state id="oval:org.mitre.oval:ste:3828" version="1" comment="The registry key matches with Vista" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value operation="pattern match">.*[Vv]ista.*</value>
    </registry_state>
    <registry_state id="oval:org.mitre.oval:ste:3180" version="2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value>amd64</value>
    </registry_state>
    <registry_state id="oval:org.mitre.oval:ste:5027" version="1" comment="The registry key matches with Windows 7" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value operation="pattern match">Windows 7</value>
    </registry_state>
    <registry_state id="oval:org.secpod.oval:ste:91039" version="1" comment="The registry key matches with Wireshark installed on the system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value operation="pattern match">Wireshark [0-9]</value>
    </registry_state>
    <registry_state id="oval:org.secpod.oval:ste:91040" version="1" comment="The registry key matches with version of the Wireshark less than 1.2.2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value datatype="version" operation="less than">1.2.2</value>
    </registry_state>
    <registry_state id="oval:org.secpod.oval:ste:91041" version="1" comment="The registry key matches with version of the Wireshark 1.2.0 through 1.2.2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value operation="pattern match">^1.2(\.[0-2])?$</value>
    </registry_state>
    <registry_state id="oval:org.secpod.oval:ste:91042" version="1" comment="The registry key matches with version of the Wireshark 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value operation="pattern match">^(0.10(\.1[0-9])?|1.0(\.[0-9])?|1.2(\.[0-2])?)$</value>
    </registry_state>
  </states>
</oval_definitions>
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Thomas Jones
Prabhu.S.A,

Wireshark is also available for almost every Linux system on the market.

Cheers,
Thomas

On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
> Submitting  OVAL Definitions for Multiple Vulnerabilities in
> Wireshark.
> Inventories for : Wireshark
> Thanks & Regards,
> Prabhu.S.A
> www.secpod.com
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Lah, Mike M.
In reply to this post by sprabhu

Prabhu,

 

Thank you for the definitions.  The OVAL Repository has been updated and the definitions are available for further community review.

 

A small correction: new OVAL definitions should be version 0.  The version is incremented to 1 when the definition reaches ACCEPTED status.

 

Thanks,

Mike

 

====================================================

Mike Lah

G022 -  Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

 

From: prabhu [mailto:[hidden email]]
Sent: Tuesday, November 17, 2009 1:57 AM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark

 

Submitting  OVAL Definitions for Multiple Vulnerabilities in Wireshark.
Inventories for : Wireshark

Thanks & Regards,
Prabhu.S.A
www.secpod.com

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Jon Baker
Administrator
In reply to this post by Thomas Jones
This is a common situation. Over the years we have had windows based vulnerability definitions contributed for numerous applications (Firefox, Safari, etc) that also affect linux and other platforms. Our intent for vulnerability definitions has been to write one oval definition per issue. This can be achieved by adding an <affected> element for each affected family. Then in the criteria section of the definition we can 'OR' together separate criteria blocks for each affected platform. Here is a rough example of the criteria section:

<criteria operator="OR">
  <criteria operator="AND" comment="Windows vulnerability conditions">
    <extend_definition comment="Wireshark is intalled on the system." definition_ref="oval:org.mitre.oval:def:6589"/>
    <criterion comment="Check for version of Wireshark installed on the system is 1.2.0 through 1.2.2" test_ref="oval:org.mitre.oval:tst:10498"/>
  </criteria>
  <criteria operator="AND" comment="Red Hat vulnerability conditions">
    <!-- insert test references here -->
  </criteria>
</criteria>

If there is interest in researching and developing other platform check like this we can certainly update this submission and other definitions as needed. In looking closer at this submission it occurs to me that if we did add in check for other platforms we might also want to update the inventory definition to either state that it is for windows only or support other platforms too.

Regards,

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


>-----Original Message-----
>From: Thomas R. Jones [mailto:[hidden email]]
>Sent: Tuesday, November 17, 2009 9:31 AM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>
>Prabhu.S.A,
>
>Wireshark is also available for almost every Linux system on the market.
>
>Cheers,
>Thomas
>
>On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
>> Submitting  OVAL Definitions for Multiple Vulnerabilities in
>> Wireshark.
>> Inventories for : Wireshark
>> Thanks & Regards,
>> Prabhu.S.A
>> www.secpod.com
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have
>> difficulties, write to [hidden email].
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DISCUSSION-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Chandrashekhar B
Hello,

The focus has been Windows to start with for us. I agree that we should
check other platforms as well. But, I don't understand the need for it to be
in a single definition. There are two issues with that,

1. Linux vendors maintain packages (backport) seperately and they release
advisories and solution not necessarility at the same time when CVE is
reported. The vulnerable versions mentioned in the CVE's are not
necessariliy the version that is vulnerable on Fedora or Debian. At the time
of writing OVAL vulnerability definition for each CVE, Linux vendor wouldn't
have released their advisories. The options are,

a. Write the def as per the CVE (version check) and update when a vendor
security advisory is released as per the advisory.

b. Write separate definitions as per the vendor security advisory as and
when they release for each platform. This mostly can be automated (we are
still working on Debian).

I prefer option #b since it is easy to deal with, maintenance is easy, helps
to automate as well.

2. The definitions are anyway getting distributed per platform, why write as
single defintion and then split the definition per platform while
distributing?

But, if there are products/tools that aren't maintained by Linux vendors,
like Adobe Reader, we could combine into one definition.

Thanks,
Chandra.
 

> -----Original Message-----
> From: Baker, Jon [mailto:[hidden email]]
> Sent: Wednesday, November 18, 2009 7:38 AM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>
> This is a common situation. Over the years we have had
> windows based vulnerability definitions contributed for
> numerous applications (Firefox, Safari, etc) that also affect
> linux and other platforms. Our intent for vulnerability
> definitions has been to write one oval definition per issue.
> This can be achieved by adding an <affected> element for each
> affected family. Then in the criteria section of the
> definition we can 'OR' together separate criteria blocks for
> each affected platform. Here is a rough example of the
> criteria section:
>
> <criteria operator="OR">
>   <criteria operator="AND" comment="Windows vulnerability conditions">
>     <extend_definition comment="Wireshark is intalled on the
> system." definition_ref="oval:org.mitre.oval:def:6589"/>
>     <criterion comment="Check for version of Wireshark
> installed on the system is 1.2.0 through 1.2.2"
> test_ref="oval:org.mitre.oval:tst:10498"/>
>   </criteria>
>   <criteria operator="AND" comment="Red Hat vulnerability conditions">
>     <!-- insert test references here -->
>   </criteria>
> </criteria>
>
> If there is interest in researching and developing other
> platform check like this we can certainly update this
> submission and other definitions as needed. In looking closer
> at this submission it occurs to me that if we did add in
> check for other platforms we might also want to update the
> inventory definition to either state that it is for windows
> only or support other platforms too.
>
> Regards,
>
> Jon
>
> ============================================
> Jonathan O. Baker
> G022 - IA Industry Collaboration
> The MITRE Corporation
> Email: [hidden email]
>
>
> >-----Original Message-----
> >From: Thomas R. Jones [mailto:[hidden email]]
> >Sent: Tuesday, November 17, 2009 9:31 AM
> >To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
> >Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
> >
> >Prabhu.S.A,
> >
> >Wireshark is also available for almost every Linux system on
> the market.
> >
> >Cheers,
> >Thomas
> >
> >On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
> >> Submitting  OVAL Definitions for Multiple Vulnerabilities in
> >> Wireshark.
> >> Inventories for : Wireshark
> >> Thanks & Regards,
> >> Prabhu.S.A
> >> www.secpod.com
> >> To unsubscribe, send an email message to [hidden email]
> >> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the
> message. If you
> >> have difficulties, write to
> [hidden email].
> >
> >To unsubscribe, send an email message to
> [hidden email] with
> >SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
> you have
> >difficulties, write to OVAL- [hidden email].
>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Jon Baker
Administrator
The decision to create one definition per CVE was made several years ago. I certainly see that aligning vulnerability definitions on a per vendor basis makes them easier to maintain and create, but what about the users? The fact that there are several vulnerability definitions per CVE be confusing. When a user searches for a CVE they will find multiple matches instead of one.

My thought is that we can merge definitions later if we need to. It would be nice to remove challenges from creation and management of the content in order to encourage broader coverage for CVEs. I am curious to know what others think. Does it make sense to allow many definitions per CVE?

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


>-----Original Message-----
>From: Chandrashekhar B [mailto:[hidden email]]
>Sent: Wednesday, November 18, 2009 1:16 AM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>
>Hello,
>
>The focus has been Windows to start with for us. I agree that we should
>check other platforms as well. But, I don't understand the need for it to
>be
>in a single definition. There are two issues with that,
>
>1. Linux vendors maintain packages (backport) seperately and they release
>advisories and solution not necessarility at the same time when CVE is
>reported. The vulnerable versions mentioned in the CVE's are not
>necessariliy the version that is vulnerable on Fedora or Debian. At the
>time
>of writing OVAL vulnerability definition for each CVE, Linux vendor
>wouldn't
>have released their advisories. The options are,
>
>a. Write the def as per the CVE (version check) and update when a vendor
>security advisory is released as per the advisory.
>
>b. Write separate definitions as per the vendor security advisory as and
>when they release for each platform. This mostly can be automated (we are
>still working on Debian).
>
>I prefer option #b since it is easy to deal with, maintenance is easy,
>helps
>to automate as well.
>
>2. The definitions are anyway getting distributed per platform, why write
>as
>single defintion and then split the definition per platform while
>distributing?
>
>But, if there are products/tools that aren't maintained by Linux vendors,
>like Adobe Reader, we could combine into one definition.
>
>Thanks,
>Chandra.
>
>
>> -----Original Message-----
>> From: Baker, Jon [mailto:[hidden email]]
>> Sent: Wednesday, November 18, 2009 7:38 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>>
>> This is a common situation. Over the years we have had
>> windows based vulnerability definitions contributed for
>> numerous applications (Firefox, Safari, etc) that also affect
>> linux and other platforms. Our intent for vulnerability
>> definitions has been to write one oval definition per issue.
>> This can be achieved by adding an <affected> element for each
>> affected family. Then in the criteria section of the
>> definition we can 'OR' together separate criteria blocks for
>> each affected platform. Here is a rough example of the
>> criteria section:
>>
>> <criteria operator="OR">
>>   <criteria operator="AND" comment="Windows vulnerability conditions">
>>     <extend_definition comment="Wireshark is intalled on the
>> system." definition_ref="oval:org.mitre.oval:def:6589"/>
>>     <criterion comment="Check for version of Wireshark
>> installed on the system is 1.2.0 through 1.2.2"
>> test_ref="oval:org.mitre.oval:tst:10498"/>
>>   </criteria>
>>   <criteria operator="AND" comment="Red Hat vulnerability conditions">
>>     <!-- insert test references here -->
>>   </criteria>
>> </criteria>
>>
>> If there is interest in researching and developing other
>> platform check like this we can certainly update this
>> submission and other definitions as needed. In looking closer
>> at this submission it occurs to me that if we did add in
>> check for other platforms we might also want to update the
>> inventory definition to either state that it is for windows
>> only or support other platforms too.
>>
>> Regards,
>>
>> Jon
>>
>> ============================================
>> Jonathan O. Baker
>> G022 - IA Industry Collaboration
>> The MITRE Corporation
>> Email: [hidden email]
>>
>>
>> >-----Original Message-----
>> >From: Thomas R. Jones [mailto:[hidden email]]
>> >Sent: Tuesday, November 17, 2009 9:31 AM
>> >To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>> >Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>> >
>> >Prabhu.S.A,
>> >
>> >Wireshark is also available for almost every Linux system on
>> the market.
>> >
>> >Cheers,
>> >Thomas
>> >
>> >On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
>> >> Submitting  OVAL Definitions for Multiple Vulnerabilities in
>> >> Wireshark.
>> >> Inventories for : Wireshark
>> >> Thanks & Regards,
>> >> Prabhu.S.A
>> >> www.secpod.com
>> >> To unsubscribe, send an email message to [hidden email]
>> >> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the
>> message. If you
>> >> have difficulties, write to
>> [hidden email].
>> >
>> >To unsubscribe, send an email message to
>> [hidden email] with
>> >SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>> you have
>> >difficulties, write to OVAL- [hidden email].
>>
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DISCUSSION-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Thomas Jones
My 2 cents. We should write definitions that accurately and completely  
cover a CVE. It should be produced to ensure the greatest amount of  
precision without introducing false negatives.

Whatever distros or products are covered by a given CVE should also be  
covered by the definition. Otherwise we risk missed attibutes and  
tests and ultimately introduce an inadvertant non-coverage issue.

Sent from my iPhone

On Nov 18, 2009, at 7:21 AM, "Baker, Jon" <[hidden email]> wrote:

> The decision to create one definition per CVE was made several years  
> ago. I certainly see that aligning vulnerability definitions on a  
> per vendor basis makes them easier to maintain and create, but what  
> about the users? The fact that there are several vulnerability  
> definitions per CVE be confusing. When a user searches for a CVE  
> they will find multiple matches instead of one.
>
> My thought is that we can merge definitions later if we need to. It  
> would be nice to remove challenges from creation and management of  
> the content in order to encourage broader coverage for CVEs. I am  
> curious to know what others think. Does it make sense to allow many  
> definitions per CVE?
>
> Jon
>
> ============================================
> Jonathan O. Baker
> G022 - IA Industry Collaboration
> The MITRE Corporation
> Email: [hidden email]
>
>
>> -----Original Message-----
>> From: Chandrashekhar B [mailto:[hidden email]]
>> Sent: Wednesday, November 18, 2009 1:16 AM
>> To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>>
>> Hello,
>>
>> The focus has been Windows to start with for us. I agree that we  
>> should
>> check other platforms as well. But, I don't understand the need for  
>> it to
>> be
>> in a single definition. There are two issues with that,
>>
>> 1. Linux vendors maintain packages (backport) seperately and they  
>> release
>> advisories and solution not necessarility at the same time when CVE  
>> is
>> reported. The vulnerable versions mentioned in the CVE's are not
>> necessariliy the version that is vulnerable on Fedora or Debian. At  
>> the
>> time
>> of writing OVAL vulnerability definition for each CVE, Linux vendor
>> wouldn't
>> have released their advisories. The options are,
>>
>> a. Write the def as per the CVE (version check) and update when a  
>> vendor
>> security advisory is released as per the advisory.
>>
>> b. Write separate definitions as per the vendor security advisory  
>> as and
>> when they release for each platform. This mostly can be automated  
>> (we are
>> still working on Debian).
>>
>> I prefer option #b since it is easy to deal with, maintenance is  
>> easy,
>> helps
>> to automate as well.
>>
>> 2. The definitions are anyway getting distributed per platform, why  
>> write
>> as
>> single defintion and then split the definition per platform while
>> distributing?
>>
>> But, if there are products/tools that aren't maintained by Linux  
>> vendors,
>> like Adobe Reader, we could combine into one definition.
>>
>> Thanks,
>> Chandra.
>>
>>
>>> -----Original Message-----
>>> From: Baker, Jon [mailto:[hidden email]]
>>> Sent: Wednesday, November 18, 2009 7:38 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>>>
>>> This is a common situation. Over the years we have had
>>> windows based vulnerability definitions contributed for
>>> numerous applications (Firefox, Safari, etc) that also affect
>>> linux and other platforms. Our intent for vulnerability
>>> definitions has been to write one oval definition per issue.
>>> This can be achieved by adding an <affected> element for each
>>> affected family. Then in the criteria section of the
>>> definition we can 'OR' together separate criteria blocks for
>>> each affected platform. Here is a rough example of the
>>> criteria section:
>>>
>>> <criteria operator="OR">
>>>  <criteria operator="AND" comment="Windows vulnerability  
>>> conditions">
>>>    <extend_definition comment="Wireshark is intalled on the
>>> system." definition_ref="oval:org.mitre.oval:def:6589"/>
>>>    <criterion comment="Check for version of Wireshark
>>> installed on the system is 1.2.0 through 1.2.2"
>>> test_ref="oval:org.mitre.oval:tst:10498"/>
>>>  </criteria>
>>>  <criteria operator="AND" comment="Red Hat vulnerability  
>>> conditions">
>>>    <!-- insert test references here -->
>>>  </criteria>
>>> </criteria>
>>>
>>> If there is interest in researching and developing other
>>> platform check like this we can certainly update this
>>> submission and other definitions as needed. In looking closer
>>> at this submission it occurs to me that if we did add in
>>> check for other platforms we might also want to update the
>>> inventory definition to either state that it is for windows
>>> only or support other platforms too.
>>>
>>> Regards,
>>>
>>> Jon
>>>
>>> ============================================
>>> Jonathan O. Baker
>>> G022 - IA Industry Collaboration
>>> The MITRE Corporation
>>> Email: [hidden email]
>>>
>>>
>>>> -----Original Message-----
>>>> From: Thomas R. Jones [mailto:[hidden email]]
>>>> Sent: Tuesday, November 17, 2009 9:31 AM
>>>> To: oval-discussion-list OVAL Discussion List/Closed Public  
>>>> Discussi
>>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>>>>
>>>> Prabhu.S.A,
>>>>
>>>> Wireshark is also available for almost every Linux system on
>>> the market.
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
>>>>> Submitting  OVAL Definitions for Multiple Vulnerabilities in
>>>>> Wireshark.
>>>>> Inventories for : Wireshark
>>>>> Thanks & Regards,
>>>>> Prabhu.S.A
>>>>> www.secpod.com
>>>>> To unsubscribe, send an email message to [hidden email]
>>>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the
>>> message. If you
>>>>> have difficulties, write to
>>> [hidden email].
>>>>
>>>> To unsubscribe, send an email message to
>>> [hidden email] with
>>>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>> you have
>>>> difficulties, write to OVAL- [hidden email]
>>>> .
>>>
>>
>> To unsubscribe, send an email message to [hidden email]  
>> with
>> SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message.  If you have difficulties, write to OVAL-
>> [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email]
> .

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Jon Baker
Administrator
As Thomas, has pointed out there are a number of issues with splitting vulnerability definitions up such that there are many definitions for one CVE. However, as we discussed on this thread there is a real burden to forcing a one definition to one CVE rule in the OVAL Repository. At the moment I think that the best we can realistically achieve is to continue working with an goal of having only one definition per CVE, and on a case by case basis consider allowing for more than one definition for a given CVE. We can discuss specific cases/issues on this list when and if they arise.

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


>-----Original Message-----
>From: Thomas R. Jones [mailto:[hidden email]]
>Sent: Wednesday, November 18, 2009 7:51 AM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>
>My 2 cents. We should write definitions that accurately and completely
>cover a CVE. It should be produced to ensure the greatest amount of
>precision without introducing false negatives.
>
>Whatever distros or products are covered by a given CVE should also be
>covered by the definition. Otherwise we risk missed attibutes and
>tests and ultimately introduce an inadvertant non-coverage issue.
>
>Sent from my iPhone
>
>On Nov 18, 2009, at 7:21 AM, "Baker, Jon" <[hidden email]> wrote:
>
>> The decision to create one definition per CVE was made several years
>> ago. I certainly see that aligning vulnerability definitions on a
>> per vendor basis makes them easier to maintain and create, but what
>> about the users? The fact that there are several vulnerability
>> definitions per CVE be confusing. When a user searches for a CVE
>> they will find multiple matches instead of one.
>>
>> My thought is that we can merge definitions later if we need to. It
>> would be nice to remove challenges from creation and management of
>> the content in order to encourage broader coverage for CVEs. I am
>> curious to know what others think. Does it make sense to allow many
>> definitions per CVE?
>>
>> Jon
>>
>> ============================================
>> Jonathan O. Baker
>> G022 - IA Industry Collaboration
>> The MITRE Corporation
>> Email: [hidden email]
>>
>>
>>> -----Original Message-----
>>> From: Chandrashekhar B [mailto:[hidden email]]
>>> Sent: Wednesday, November 18, 2009 1:16 AM
>>> To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>>>
>>> Hello,
>>>
>>> The focus has been Windows to start with for us. I agree that we
>>> should
>>> check other platforms as well. But, I don't understand the need for
>>> it to
>>> be
>>> in a single definition. There are two issues with that,
>>>
>>> 1. Linux vendors maintain packages (backport) seperately and they
>>> release
>>> advisories and solution not necessarility at the same time when CVE
>>> is
>>> reported. The vulnerable versions mentioned in the CVE's are not
>>> necessariliy the version that is vulnerable on Fedora or Debian. At
>>> the
>>> time
>>> of writing OVAL vulnerability definition for each CVE, Linux vendor
>>> wouldn't
>>> have released their advisories. The options are,
>>>
>>> a. Write the def as per the CVE (version check) and update when a
>>> vendor
>>> security advisory is released as per the advisory.
>>>
>>> b. Write separate definitions as per the vendor security advisory
>>> as and
>>> when they release for each platform. This mostly can be automated
>>> (we are
>>> still working on Debian).
>>>
>>> I prefer option #b since it is easy to deal with, maintenance is
>>> easy,
>>> helps
>>> to automate as well.
>>>
>>> 2. The definitions are anyway getting distributed per platform, why
>>> write
>>> as
>>> single defintion and then split the definition per platform while
>>> distributing?
>>>
>>> But, if there are products/tools that aren't maintained by Linux
>>> vendors,
>>> like Adobe Reader, we could combine into one definition.
>>>
>>> Thanks,
>>> Chandra.
>>>
>>>
>>>> -----Original Message-----
>>>> From: Baker, Jon [mailto:[hidden email]]
>>>> Sent: Wednesday, November 18, 2009 7:38 AM
>>>> To: [hidden email]
>>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>>>>
>>>> This is a common situation. Over the years we have had
>>>> windows based vulnerability definitions contributed for
>>>> numerous applications (Firefox, Safari, etc) that also affect
>>>> linux and other platforms. Our intent for vulnerability
>>>> definitions has been to write one oval definition per issue.
>>>> This can be achieved by adding an <affected> element for each
>>>> affected family. Then in the criteria section of the
>>>> definition we can 'OR' together separate criteria blocks for
>>>> each affected platform. Here is a rough example of the
>>>> criteria section:
>>>>
>>>> <criteria operator="OR">
>>>>  <criteria operator="AND" comment="Windows vulnerability
>>>> conditions">
>>>>    <extend_definition comment="Wireshark is intalled on the
>>>> system." definition_ref="oval:org.mitre.oval:def:6589"/>
>>>>    <criterion comment="Check for version of Wireshark
>>>> installed on the system is 1.2.0 through 1.2.2"
>>>> test_ref="oval:org.mitre.oval:tst:10498"/>
>>>>  </criteria>
>>>>  <criteria operator="AND" comment="Red Hat vulnerability
>>>> conditions">
>>>>    <!-- insert test references here -->
>>>>  </criteria>
>>>> </criteria>
>>>>
>>>> If there is interest in researching and developing other
>>>> platform check like this we can certainly update this
>>>> submission and other definitions as needed. In looking closer
>>>> at this submission it occurs to me that if we did add in
>>>> check for other platforms we might also want to update the
>>>> inventory definition to either state that it is for windows
>>>> only or support other platforms too.
>>>>
>>>> Regards,
>>>>
>>>> Jon
>>>>
>>>> ============================================
>>>> Jonathan O. Baker
>>>> G022 - IA Industry Collaboration
>>>> The MITRE Corporation
>>>> Email: [hidden email]
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Thomas R. Jones [mailto:[hidden email]]
>>>>> Sent: Tuesday, November 17, 2009 9:31 AM
>>>>> To: oval-discussion-list OVAL Discussion List/Closed Public
>>>>> Discussi
>>>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>>>>>
>>>>> Prabhu.S.A,
>>>>>
>>>>> Wireshark is also available for almost every Linux system on
>>>> the market.
>>>>>
>>>>> Cheers,
>>>>> Thomas
>>>>>
>>>>> On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
>>>>>> Submitting  OVAL Definitions for Multiple Vulnerabilities in
>>>>>> Wireshark.
>>>>>> Inventories for : Wireshark
>>>>>> Thanks & Regards,
>>>>>> Prabhu.S.A
>>>>>> www.secpod.com
>>>>>> To unsubscribe, send an email message to [hidden email]
>>>>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the
>>>> message. If you
>>>>>> have difficulties, write to
>>>> [hidden email].
>>>>>
>>>>> To unsubscribe, send an email message to
>>>> [hidden email] with
>>>>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>>> you have
>>>>> difficulties, write to OVAL- [hidden email]
>>>>> .
>>>>
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with
>>> SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message.  If you have difficulties, write to OVAL-
>>> [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email]
>> .
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DISCUSSION-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Robert Hollis
I'd like to see it more as an OVAL Definition per CVE per family approach.

So, if there's a vulnerability against Firefox (for example), there would be
a Windows version and a Unix version.  That would add maintenance overhead,
but that seems to make more sense as we prep and distribute content for
operational use.

        -rob


.  -----Original Message-----
.  From: Baker, Jon [mailto:[hidden email]]
.  Sent: Wednesday, November 25, 2009 7:49 AM
.  To: [hidden email]
.  Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
.  
.  As Thomas, has pointed out there are a number of issues with splitting
.  vulnerability definitions up such that there are many definitions for
.  one CVE. However, as we discussed on this thread there is a real
.  burden to forcing a one definition to one CVE rule in the OVAL
.  Repository. At the moment I think that the best we can realistically
.  achieve is to continue working with an goal of having only one
.  definition per CVE, and on a case by case basis consider allowing for
.  more than one definition for a given CVE. We can discuss specific
.  cases/issues on this list when and if they arise.
.  
.  Jon
.  
.  ============================================
.  Jonathan O. Baker
.  G022 - IA Industry Collaboration
.  The MITRE Corporation
.  Email: [hidden email]
.  
.  
.  >-----Original Message-----
.  >From: Thomas R. Jones [mailto:[hidden email]]
.  >Sent: Wednesday, November 18, 2009 7:51 AM
.  >To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
.  >Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
.  >
.  >My 2 cents. We should write definitions that accurately and
.  completely
.  >cover a CVE. It should be produced to ensure the greatest amount of
.  >precision without introducing false negatives.
.  >
.  >Whatever distros or products are covered by a given CVE should also
.  be
.  >covered by the definition. Otherwise we risk missed attibutes and
.  >tests and ultimately introduce an inadvertant non-coverage issue.
.  >
.  >Sent from my iPhone
.  >
.  >On Nov 18, 2009, at 7:21 AM, "Baker, Jon" <[hidden email]> wrote:
.  >
.  >> The decision to create one definition per CVE was made several
.  years
.  >> ago. I certainly see that aligning vulnerability definitions on a
.  >> per vendor basis makes them easier to maintain and create, but what
.  >> about the users? The fact that there are several vulnerability
.  >> definitions per CVE be confusing. When a user searches for a CVE
.  >> they will find multiple matches instead of one.
.  >>
.  >> My thought is that we can merge definitions later if we need to. It
.  >> would be nice to remove challenges from creation and management of
.  >> the content in order to encourage broader coverage for CVEs. I am
.  >> curious to know what others think. Does it make sense to allow many
.  >> definitions per CVE?
.  >>
.  >> Jon
.  >>
.  >> ============================================
.  >> Jonathan O. Baker
.  >> G022 - IA Industry Collaboration
.  >> The MITRE Corporation
.  >> Email: [hidden email]
.  >>
.  >>
.  >>> -----Original Message-----
.  >>> From: Chandrashekhar B [mailto:[hidden email]]
.  >>> Sent: Wednesday, November 18, 2009 1:16 AM
.  >>> To: oval-discussion-list OVAL Discussion List/Closed Public
.  Discussi
.  >>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
.  >>>
.  >>> Hello,
.  >>>
.  >>> The focus has been Windows to start with for us. I agree that we
.  >>> should
.  >>> check other platforms as well. But, I don't understand the need
.  for
.  >>> it to
.  >>> be
.  >>> in a single definition. There are two issues with that,
.  >>>
.  >>> 1. Linux vendors maintain packages (backport) seperately and they
.  >>> release
.  >>> advisories and solution not necessarility at the same time when
.  CVE
.  >>> is
.  >>> reported. The vulnerable versions mentioned in the CVE's are not
.  >>> necessariliy the version that is vulnerable on Fedora or Debian.
.  At
.  >>> the
.  >>> time
.  >>> of writing OVAL vulnerability definition for each CVE, Linux
.  vendor
.  >>> wouldn't
.  >>> have released their advisories. The options are,
.  >>>
.  >>> a. Write the def as per the CVE (version check) and update when a
.  >>> vendor
.  >>> security advisory is released as per the advisory.
.  >>>
.  >>> b. Write separate definitions as per the vendor security advisory
.  >>> as and
.  >>> when they release for each platform. This mostly can be automated
.  >>> (we are
.  >>> still working on Debian).
.  >>>
.  >>> I prefer option #b since it is easy to deal with, maintenance is
.  >>> easy,
.  >>> helps
.  >>> to automate as well.
.  >>>
.  >>> 2. The definitions are anyway getting distributed per platform,
.  why
.  >>> write
.  >>> as
.  >>> single defintion and then split the definition per platform while
.  >>> distributing?
.  >>>
.  >>> But, if there are products/tools that aren't maintained by Linux
.  >>> vendors,
.  >>> like Adobe Reader, we could combine into one definition.
.  >>>
.  >>> Thanks,
.  >>> Chandra.
.  >>>
.  >>>
.  >>>> -----Original Message-----
.  >>>> From: Baker, Jon [mailto:[hidden email]]
.  >>>> Sent: Wednesday, November 18, 2009 7:38 AM
.  >>>> To: [hidden email]
.  >>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for
.  Wireshark
.  >>>>
.  >>>> This is a common situation. Over the years we have had
.  >>>> windows based vulnerability definitions contributed for
.  >>>> numerous applications (Firefox, Safari, etc) that also affect
.  >>>> linux and other platforms. Our intent for vulnerability
.  >>>> definitions has been to write one oval definition per issue.
.  >>>> This can be achieved by adding an <affected> element for each
.  >>>> affected family. Then in the criteria section of the
.  >>>> definition we can 'OR' together separate criteria blocks for
.  >>>> each affected platform. Here is a rough example of the
.  >>>> criteria section:
.  >>>>
.  >>>> <criteria operator="OR">
.  >>>>  <criteria operator="AND" comment="Windows vulnerability
.  >>>> conditions">
.  >>>>    <extend_definition comment="Wireshark is intalled on the
.  >>>> system." definition_ref="oval:org.mitre.oval:def:6589"/>
.  >>>>    <criterion comment="Check for version of Wireshark
.  >>>> installed on the system is 1.2.0 through 1.2.2"
.  >>>> test_ref="oval:org.mitre.oval:tst:10498"/>
.  >>>>  </criteria>
.  >>>>  <criteria operator="AND" comment="Red Hat vulnerability
.  >>>> conditions">
.  >>>>    <!-- insert test references here -->
.  >>>>  </criteria>
.  >>>> </criteria>
.  >>>>
.  >>>> If there is interest in researching and developing other
.  >>>> platform check like this we can certainly update this
.  >>>> submission and other definitions as needed. In looking closer
.  >>>> at this submission it occurs to me that if we did add in
.  >>>> check for other platforms we might also want to update the
.  >>>> inventory definition to either state that it is for windows
.  >>>> only or support other platforms too.
.  >>>>
.  >>>> Regards,
.  >>>>
.  >>>> Jon
.  >>>>
.  >>>> ============================================
.  >>>> Jonathan O. Baker
.  >>>> G022 - IA Industry Collaboration
.  >>>> The MITRE Corporation
.  >>>> Email: [hidden email]
.  >>>>
.  >>>>
.  >>>>> -----Original Message-----
.  >>>>> From: Thomas R. Jones [mailto:[hidden email]]
.  >>>>> Sent: Tuesday, November 17, 2009 9:31 AM
.  >>>>> To: oval-discussion-list OVAL Discussion List/Closed Public
.  >>>>> Discussi
.  >>>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for
.  Wireshark
.  >>>>>
.  >>>>> Prabhu.S.A,
.  >>>>>
.  >>>>> Wireshark is also available for almost every Linux system on
.  >>>> the market.
.  >>>>>
.  >>>>> Cheers,
.  >>>>> Thomas
.  >>>>>
.  >>>>> On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
.  >>>>>> Submitting  OVAL Definitions for Multiple Vulnerabilities in
.  >>>>>> Wireshark.
.  >>>>>> Inventories for : Wireshark
.  >>>>>> Thanks & Regards,
.  >>>>>> Prabhu.S.A
.  >>>>>> www.secpod.com
.  >>>>>> To unsubscribe, send an email message to
.  [hidden email]
.  >>>>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the
.  >>>> message. If you
.  >>>>>> have difficulties, write to
.  >>>> [hidden email].
.  >>>>>
.  >>>>> To unsubscribe, send an email message to
.  >>>> [hidden email] with
.  >>>>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
.  >>>> you have
.  >>>>> difficulties, write to OVAL- DISCUSSION-LIST-
.  [hidden email]
.  >>>>> .
.  >>>>
.  >>>
.  >>> To unsubscribe, send an email message to [hidden email]
.  >>> with
.  >>> SIGNOFF OVAL-DISCUSSION-LIST
.  >>> in the BODY of the message.  If you have difficulties, write to
.  OVAL-
.  >>> [hidden email].
.  >>
.  >> To unsubscribe, send an email message to [hidden email]
.  with
.  >> SIGNOFF OVAL-DISCUSSION-LIST
.  >> in the BODY of the message.  If you have difficulties, write to
.  OVAL-
.  >[hidden email]
.  >> .
.  >
.  >To unsubscribe, send an email message to [hidden email]
.  with
.  >SIGNOFF OVAL-DISCUSSION-LIST
.  >in the BODY of the message.  If you have difficulties, write to OVAL-
.  >[hidden email].
.  
.  To unsubscribe, send an email message to [hidden email] with
.  SIGNOFF OVAL-DISCUSSION-LIST
.  in the BODY of the message.  If you have difficulties, write to OVAL-
.  [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Andrew Buttner
Administrator
Rob,

Can you explain more about why this would help in the prep and distribution of content?  I am curious as the problems with the current approach that you and other vendors might be facing.

Thanks
Drew



>-----Original Message-----
>From: Robert Hollis [mailto:[hidden email]]
>Sent: Wednesday, November 25, 2009 9:09 AM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>
>I'd like to see it more as an OVAL Definition per CVE per family approach.
>
>So, if there's a vulnerability against Firefox (for example), there would be
>a Windows version and a Unix version.  That would add maintenance overhead,
>but that seems to make more sense as we prep and distribute content for
>operational use.
>
> -rob
>
>
>.  -----Original Message-----
>.  From: Baker, Jon [mailto:[hidden email]]
>.  Sent: Wednesday, November 25, 2009 7:49 AM
>.  To: [hidden email]
>.  Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>.
>.  As Thomas, has pointed out there are a number of issues with splitting
>.  vulnerability definitions up such that there are many definitions for
>.  one CVE. However, as we discussed on this thread there is a real
>.  burden to forcing a one definition to one CVE rule in the OVAL
>.  Repository. At the moment I think that the best we can realistically
>.  achieve is to continue working with an goal of having only one
>.  definition per CVE, and on a case by case basis consider allowing for
>.  more than one definition for a given CVE. We can discuss specific
>.  cases/issues on this list when and if they arise.
>.
>.  Jon
>.
>.  ============================================
>.  Jonathan O. Baker
>.  G022 - IA Industry Collaboration
>.  The MITRE Corporation
>.  Email: [hidden email]
>.
>.
>.  >-----Original Message-----
>.  >From: Thomas R. Jones [mailto:[hidden email]]
>.  >Sent: Wednesday, November 18, 2009 7:51 AM
>.  >To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>.  >Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>.  >
>.  >My 2 cents. We should write definitions that accurately and
>.  completely
>.  >cover a CVE. It should be produced to ensure the greatest amount of
>.  >precision without introducing false negatives.
>.  >
>.  >Whatever distros or products are covered by a given CVE should also
>.  be
>.  >covered by the definition. Otherwise we risk missed attibutes and
>.  >tests and ultimately introduce an inadvertant non-coverage issue.
>.  >
>.  >Sent from my iPhone
>.  >
>.  >On Nov 18, 2009, at 7:21 AM, "Baker, Jon" <[hidden email]> wrote:
>.  >
>.  >> The decision to create one definition per CVE was made several
>.  years
>.  >> ago. I certainly see that aligning vulnerability definitions on a
>.  >> per vendor basis makes them easier to maintain and create, but what
>.  >> about the users? The fact that there are several vulnerability
>.  >> definitions per CVE be confusing. When a user searches for a CVE
>.  >> they will find multiple matches instead of one.
>.  >>
>.  >> My thought is that we can merge definitions later if we need to. It
>.  >> would be nice to remove challenges from creation and management of
>.  >> the content in order to encourage broader coverage for CVEs. I am
>.  >> curious to know what others think. Does it make sense to allow many
>.  >> definitions per CVE?
>.  >>
>.  >> Jon
>.  >>
>.  >> ============================================
>.  >> Jonathan O. Baker
>.  >> G022 - IA Industry Collaboration
>.  >> The MITRE Corporation
>.  >> Email: [hidden email]
>.  >>
>.  >>
>.  >>> -----Original Message-----
>.  >>> From: Chandrashekhar B [mailto:[hidden email]]
>.  >>> Sent: Wednesday, November 18, 2009 1:16 AM
>.  >>> To: oval-discussion-list OVAL Discussion List/Closed Public
>.  Discussi
>.  >>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
>.  >>>
>.  >>> Hello,
>.  >>>
>.  >>> The focus has been Windows to start with for us. I agree that we
>.  >>> should
>.  >>> check other platforms as well. But, I don't understand the need
>.  for
>.  >>> it to
>.  >>> be
>.  >>> in a single definition. There are two issues with that,
>.  >>>
>.  >>> 1. Linux vendors maintain packages (backport) seperately and they
>.  >>> release
>.  >>> advisories and solution not necessarility at the same time when
>.  CVE
>.  >>> is
>.  >>> reported. The vulnerable versions mentioned in the CVE's are not
>.  >>> necessariliy the version that is vulnerable on Fedora or Debian.
>.  At
>.  >>> the
>.  >>> time
>.  >>> of writing OVAL vulnerability definition for each CVE, Linux
>.  vendor
>.  >>> wouldn't
>.  >>> have released their advisories. The options are,
>.  >>>
>.  >>> a. Write the def as per the CVE (version check) and update when a
>.  >>> vendor
>.  >>> security advisory is released as per the advisory.
>.  >>>
>.  >>> b. Write separate definitions as per the vendor security advisory
>.  >>> as and
>.  >>> when they release for each platform. This mostly can be automated
>.  >>> (we are
>.  >>> still working on Debian).
>.  >>>
>.  >>> I prefer option #b since it is easy to deal with, maintenance is
>.  >>> easy,
>.  >>> helps
>.  >>> to automate as well.
>.  >>>
>.  >>> 2. The definitions are anyway getting distributed per platform,
>.  why
>.  >>> write
>.  >>> as
>.  >>> single defintion and then split the definition per platform while
>.  >>> distributing?
>.  >>>
>.  >>> But, if there are products/tools that aren't maintained by Linux
>.  >>> vendors,
>.  >>> like Adobe Reader, we could combine into one definition.
>.  >>>
>.  >>> Thanks,
>.  >>> Chandra.
>.  >>>
>.  >>>
>.  >>>> -----Original Message-----
>.  >>>> From: Baker, Jon [mailto:[hidden email]]
>.  >>>> Sent: Wednesday, November 18, 2009 7:38 AM
>.  >>>> To: [hidden email]
>.  >>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for
>.  Wireshark
>.  >>>>
>.  >>>> This is a common situation. Over the years we have had
>.  >>>> windows based vulnerability definitions contributed for
>.  >>>> numerous applications (Firefox, Safari, etc) that also affect
>.  >>>> linux and other platforms. Our intent for vulnerability
>.  >>>> definitions has been to write one oval definition per issue.
>.  >>>> This can be achieved by adding an <affected> element for each
>.  >>>> affected family. Then in the criteria section of the
>.  >>>> definition we can 'OR' together separate criteria blocks for
>.  >>>> each affected platform. Here is a rough example of the
>.  >>>> criteria section:
>.  >>>>
>.  >>>> <criteria operator="OR">
>.  >>>>  <criteria operator="AND" comment="Windows vulnerability
>.  >>>> conditions">
>.  >>>>    <extend_definition comment="Wireshark is intalled on the
>.  >>>> system." definition_ref="oval:org.mitre.oval:def:6589"/>
>.  >>>>    <criterion comment="Check for version of Wireshark
>.  >>>> installed on the system is 1.2.0 through 1.2.2"
>.  >>>> test_ref="oval:org.mitre.oval:tst:10498"/>
>.  >>>>  </criteria>
>.  >>>>  <criteria operator="AND" comment="Red Hat vulnerability
>.  >>>> conditions">
>.  >>>>    <!-- insert test references here -->
>.  >>>>  </criteria>
>.  >>>> </criteria>
>.  >>>>
>.  >>>> If there is interest in researching and developing other
>.  >>>> platform check like this we can certainly update this
>.  >>>> submission and other definitions as needed. In looking closer
>.  >>>> at this submission it occurs to me that if we did add in
>.  >>>> check for other platforms we might also want to update the
>.  >>>> inventory definition to either state that it is for windows
>.  >>>> only or support other platforms too.
>.  >>>>
>.  >>>> Regards,
>.  >>>>
>.  >>>> Jon
>.  >>>>
>.  >>>> ============================================
>.  >>>> Jonathan O. Baker
>.  >>>> G022 - IA Industry Collaboration
>.  >>>> The MITRE Corporation
>.  >>>> Email: [hidden email]
>.  >>>>
>.  >>>>
>.  >>>>> -----Original Message-----
>.  >>>>> From: Thomas R. Jones [mailto:[hidden email]]
>.  >>>>> Sent: Tuesday, November 17, 2009 9:31 AM
>.  >>>>> To: oval-discussion-list OVAL Discussion List/Closed Public
>.  >>>>> Discussi
>.  >>>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for
>.  Wireshark
>.  >>>>>
>.  >>>>> Prabhu.S.A,
>.  >>>>>
>.  >>>>> Wireshark is also available for almost every Linux system on
>.  >>>> the market.
>.  >>>>>
>.  >>>>> Cheers,
>.  >>>>> Thomas
>.  >>>>>
>.  >>>>> On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
>.  >>>>>> Submitting  OVAL Definitions for Multiple Vulnerabilities in
>.  >>>>>> Wireshark.
>.  >>>>>> Inventories for : Wireshark
>.  >>>>>> Thanks & Regards,
>.  >>>>>> Prabhu.S.A
>.  >>>>>> www.secpod.com
>.  >>>>>> To unsubscribe, send an email message to
>.  [hidden email]
>.  >>>>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the
>.  >>>> message. If you
>.  >>>>>> have difficulties, write to
>.  >>>> [hidden email].
>.  >>>>>
>.  >>>>> To unsubscribe, send an email message to
>.  >>>> [hidden email] with
>.  >>>>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>.  >>>> you have
>.  >>>>> difficulties, write to OVAL- DISCUSSION-LIST-
>.  [hidden email]
>.  >>>>> .
>.  >>>>
>.  >>>
>.  >>> To unsubscribe, send an email message to [hidden email]
>.  >>> with
>.  >>> SIGNOFF OVAL-DISCUSSION-LIST
>.  >>> in the BODY of the message.  If you have difficulties, write to
>.  OVAL-
>.  >>> [hidden email].
>.  >>
>.  >> To unsubscribe, send an email message to [hidden email]
>.  with
>.  >> SIGNOFF OVAL-DISCUSSION-LIST
>.  >> in the BODY of the message.  If you have difficulties, write to
>.  OVAL-
>.  >[hidden email]
>.  >> .
>.  >
>.  >To unsubscribe, send an email message to [hidden email]
>.  with
>.  >SIGNOFF OVAL-DISCUSSION-LIST
>.  >in the BODY of the message.  If you have difficulties, write to OVAL-
>.  >[hidden email].
>.
>.  To unsubscribe, send an email message to [hidden email] with
>.  SIGNOFF OVAL-DISCUSSION-LIST
>.  in the BODY of the message.  If you have difficulties, write to OVAL-
>.  [hidden email].
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DISCUSSION-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-
>[hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Definitions for Wireshark

Robert Hollis
Hi Drew,

I wouldn't go so far as to call it a problem, more so a look at optimization
and efficiency.  For the most part, the vuln defs are naturally segregated
by family.  As we add more cross-platform vulnerabilities, it'd be nice to
be able to avoid carrying Windows logic when assessing a Unix target, and
vice versa.  The interpreters will disregard most of the extra logic, so
this isn't a functional concern.  It's just that removing unnecessary logic
(relative to the target at hand) allows for smaller distribution packages.

Of course, there are trade-offs in terms of maintenance.  So, it may not
make sense to go as granular as OVAL/CVE/platform.

This is more of a preference than an angle to champion.

        -rob


.  -----Original Message-----
.  From: Buttner, Drew [mailto:[hidden email]]
.  Sent: Wednesday, November 25, 2009 8:13 AM
.  To: [hidden email]
.  Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
.  
.  Rob,
.  
.  Can you explain more about why this would help in the prep and
.  distribution of content?  I am curious as the problems with the
.  current approach that you and other vendors might be facing.
.  
.  Thanks
.  Drew
.  
.  
.  
.  >-----Original Message-----
.  >From: Robert Hollis [mailto:[hidden email]]
.  >Sent: Wednesday, November 25, 2009 9:09 AM
.  >To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
.  >Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
.  >
.  >I'd like to see it more as an OVAL Definition per CVE per family
.  approach.
.  >
.  >So, if there's a vulnerability against Firefox (for example), there
.  would be
.  >a Windows version and a Unix version.  That would add maintenance
.  overhead,
.  >but that seems to make more sense as we prep and distribute content
.  for
.  >operational use.
.  >
.  > -rob
.  >
.  >
.  >.  -----Original Message-----
.  >.  From: Baker, Jon [mailto:[hidden email]]
.  >.  Sent: Wednesday, November 25, 2009 7:49 AM
.  >.  To: [hidden email]
.  >.  Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for Wireshark
.  >.
.  >.  As Thomas, has pointed out there are a number of issues with
.  splitting
.  >.  vulnerability definitions up such that there are many definitions
.  for
.  >.  one CVE. However, as we discussed on this thread there is a real
.  >.  burden to forcing a one definition to one CVE rule in the OVAL
.  >.  Repository. At the moment I think that the best we can
.  realistically
.  >.  achieve is to continue working with an goal of having only one
.  >.  definition per CVE, and on a case by case basis consider allowing
.  for
.  >.  more than one definition for a given CVE. We can discuss specific
.  >.  cases/issues on this list when and if they arise.
.  >.
.  >.  Jon
.  >.
.  >.  ============================================
.  >.  Jonathan O. Baker
.  >.  G022 - IA Industry Collaboration
.  >.  The MITRE Corporation
.  >.  Email: [hidden email]
.  >.
.  >.
.  >.  >-----Original Message-----
.  >.  >From: Thomas R. Jones [mailto:[hidden email]]
.  >.  >Sent: Wednesday, November 18, 2009 7:51 AM
.  >.  >To: oval-discussion-list OVAL Discussion List/Closed Public
.  Discussi
.  >.  >Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for
.  Wireshark
.  >.  >
.  >.  >My 2 cents. We should write definitions that accurately and
.  >.  completely
.  >.  >cover a CVE. It should be produced to ensure the greatest amount
.  of
.  >.  >precision without introducing false negatives.
.  >.  >
.  >.  >Whatever distros or products are covered by a given CVE should
.  also
.  >.  be
.  >.  >covered by the definition. Otherwise we risk missed attibutes and
.  >.  >tests and ultimately introduce an inadvertant non-coverage issue.
.  >.  >
.  >.  >Sent from my iPhone
.  >.  >
.  >.  >On Nov 18, 2009, at 7:21 AM, "Baker, Jon" <[hidden email]>
.  wrote:
.  >.  >
.  >.  >> The decision to create one definition per CVE was made several
.  >.  years
.  >.  >> ago. I certainly see that aligning vulnerability definitions on
.  a
.  >.  >> per vendor basis makes them easier to maintain and create, but
.  what
.  >.  >> about the users? The fact that there are several vulnerability
.  >.  >> definitions per CVE be confusing. When a user searches for a
.  CVE
.  >.  >> they will find multiple matches instead of one.
.  >.  >>
.  >.  >> My thought is that we can merge definitions later if we need
.  to. It
.  >.  >> would be nice to remove challenges from creation and management
.  of
.  >.  >> the content in order to encourage broader coverage for CVEs. I
.  am
.  >.  >> curious to know what others think. Does it make sense to allow
.  many
.  >.  >> definitions per CVE?
.  >.  >>
.  >.  >> Jon
.  >.  >>
.  >.  >> ============================================
.  >.  >> Jonathan O. Baker
.  >.  >> G022 - IA Industry Collaboration
.  >.  >> The MITRE Corporation
.  >.  >> Email: [hidden email]
.  >.  >>
.  >.  >>
.  >.  >>> -----Original Message-----
.  >.  >>> From: Chandrashekhar B [mailto:[hidden email]]
.  >.  >>> Sent: Wednesday, November 18, 2009 1:16 AM
.  >.  >>> To: oval-discussion-list OVAL Discussion List/Closed Public
.  >.  Discussi
.  >.  >>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for
.  Wireshark
.  >.  >>>
.  >.  >>> Hello,
.  >.  >>>
.  >.  >>> The focus has been Windows to start with for us. I agree that
.  we
.  >.  >>> should
.  >.  >>> check other platforms as well. But, I don't understand the
.  need
.  >.  for
.  >.  >>> it to
.  >.  >>> be
.  >.  >>> in a single definition. There are two issues with that,
.  >.  >>>
.  >.  >>> 1. Linux vendors maintain packages (backport) seperately and
.  they
.  >.  >>> release
.  >.  >>> advisories and solution not necessarility at the same time
.  when
.  >.  CVE
.  >.  >>> is
.  >.  >>> reported. The vulnerable versions mentioned in the CVE's are
.  not
.  >.  >>> necessariliy the version that is vulnerable on Fedora or
.  Debian.
.  >.  At
.  >.  >>> the
.  >.  >>> time
.  >.  >>> of writing OVAL vulnerability definition for each CVE, Linux
.  >.  vendor
.  >.  >>> wouldn't
.  >.  >>> have released their advisories. The options are,
.  >.  >>>
.  >.  >>> a. Write the def as per the CVE (version check) and update
.  when a
.  >.  >>> vendor
.  >.  >>> security advisory is released as per the advisory.
.  >.  >>>
.  >.  >>> b. Write separate definitions as per the vendor security
.  advisory
.  >.  >>> as and
.  >.  >>> when they release for each platform. This mostly can be
.  automated
.  >.  >>> (we are
.  >.  >>> still working on Debian).
.  >.  >>>
.  >.  >>> I prefer option #b since it is easy to deal with, maintenance
.  is
.  >.  >>> easy,
.  >.  >>> helps
.  >.  >>> to automate as well.
.  >.  >>>
.  >.  >>> 2. The definitions are anyway getting distributed per
.  platform,
.  >.  why
.  >.  >>> write
.  >.  >>> as
.  >.  >>> single defintion and then split the definition per platform
.  while
.  >.  >>> distributing?
.  >.  >>>
.  >.  >>> But, if there are products/tools that aren't maintained by
.  Linux
.  >.  >>> vendors,
.  >.  >>> like Adobe Reader, we could combine into one definition.
.  >.  >>>
.  >.  >>> Thanks,
.  >.  >>> Chandra.
.  >.  >>>
.  >.  >>>
.  >.  >>>> -----Original Message-----
.  >.  >>>> From: Baker, Jon [mailto:[hidden email]]
.  >.  >>>> Sent: Wednesday, November 18, 2009 7:38 AM
.  >.  >>>> To: [hidden email]
.  >.  >>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for
.  >.  Wireshark
.  >.  >>>>
.  >.  >>>> This is a common situation. Over the years we have had
.  >.  >>>> windows based vulnerability definitions contributed for
.  >.  >>>> numerous applications (Firefox, Safari, etc) that also affect
.  >.  >>>> linux and other platforms. Our intent for vulnerability
.  >.  >>>> definitions has been to write one oval definition per issue.
.  >.  >>>> This can be achieved by adding an <affected> element for each
.  >.  >>>> affected family. Then in the criteria section of the
.  >.  >>>> definition we can 'OR' together separate criteria blocks for
.  >.  >>>> each affected platform. Here is a rough example of the
.  >.  >>>> criteria section:
.  >.  >>>>
.  >.  >>>> <criteria operator="OR">
.  >.  >>>>  <criteria operator="AND" comment="Windows vulnerability
.  >.  >>>> conditions">
.  >.  >>>>    <extend_definition comment="Wireshark is intalled on the
.  >.  >>>> system." definition_ref="oval:org.mitre.oval:def:6589"/>
.  >.  >>>>    <criterion comment="Check for version of Wireshark
.  >.  >>>> installed on the system is 1.2.0 through 1.2.2"
.  >.  >>>> test_ref="oval:org.mitre.oval:tst:10498"/>
.  >.  >>>>  </criteria>
.  >.  >>>>  <criteria operator="AND" comment="Red Hat vulnerability
.  >.  >>>> conditions">
.  >.  >>>>    <!-- insert test references here -->
.  >.  >>>>  </criteria>
.  >.  >>>> </criteria>
.  >.  >>>>
.  >.  >>>> If there is interest in researching and developing other
.  >.  >>>> platform check like this we can certainly update this
.  >.  >>>> submission and other definitions as needed. In looking closer
.  >.  >>>> at this submission it occurs to me that if we did add in
.  >.  >>>> check for other platforms we might also want to update the
.  >.  >>>> inventory definition to either state that it is for windows
.  >.  >>>> only or support other platforms too.
.  >.  >>>>
.  >.  >>>> Regards,
.  >.  >>>>
.  >.  >>>> Jon
.  >.  >>>>
.  >.  >>>> ============================================
.  >.  >>>> Jonathan O. Baker
.  >.  >>>> G022 - IA Industry Collaboration
.  >.  >>>> The MITRE Corporation
.  >.  >>>> Email: [hidden email]
.  >.  >>>>
.  >.  >>>>
.  >.  >>>>> -----Original Message-----
.  >.  >>>>> From: Thomas R. Jones
.  [mailto:[hidden email]]
.  >.  >>>>> Sent: Tuesday, November 17, 2009 9:31 AM
.  >.  >>>>> To: oval-discussion-list OVAL Discussion List/Closed Public
.  >.  >>>>> Discussi
.  >.  >>>>> Subject: Re: [OVAL-DISCUSSION-LIST] OVAL Definitions for
.  >.  Wireshark
.  >.  >>>>>
.  >.  >>>>> Prabhu.S.A,
.  >.  >>>>>
.  >.  >>>>> Wireshark is also available for almost every Linux system on
.  >.  >>>> the market.
.  >.  >>>>>
.  >.  >>>>> Cheers,
.  >.  >>>>> Thomas
.  >.  >>>>>
.  >.  >>>>> On Tue, 2009-11-17 at 12:26 +0530, prabhu wrote:
.  >.  >>>>>> Submitting  OVAL Definitions for Multiple Vulnerabilities
.  in
.  >.  >>>>>> Wireshark.
.  >.  >>>>>> Inventories for : Wireshark
.  >.  >>>>>> Thanks & Regards,
.  >.  >>>>>> Prabhu.S.A
.  >.  >>>>>> www.secpod.com
.  >.  >>>>>> To unsubscribe, send an email message to
.  >.  [hidden email]
.  >.  >>>>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the
.  >.  >>>> message. If you
.  >.  >>>>>> have difficulties, write to
.  >.  >>>> [hidden email].
.  >.  >>>>>
.  >.  >>>>> To unsubscribe, send an email message to
.  >.  >>>> [hidden email] with
.  >.  >>>>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
.  >.  >>>> you have
.  >.  >>>>> difficulties, write to OVAL- DISCUSSION-LIST-
.  >.  [hidden email]
.  >.  >>>>> .
.  >.  >>>>
.  >.  >>>
.  >.  >>> To unsubscribe, send an email message to
.  [hidden email]
.  >.  >>> with
.  >.  >>> SIGNOFF OVAL-DISCUSSION-LIST
.  >.  >>> in the BODY of the message.  If you have difficulties, write
.  to
.  >.  OVAL-
.  >.  >>> [hidden email].
.  >.  >>
.  >.  >> To unsubscribe, send an email message to
.  [hidden email]
.  >.  with
.  >.  >> SIGNOFF OVAL-DISCUSSION-LIST
.  >.  >> in the BODY of the message.  If you have difficulties, write to
.  >.  OVAL-
.  >.  >[hidden email]
.  >.  >> .
.  >.  >
.  >.  >To unsubscribe, send an email message to [hidden email]
.  >.  with
.  >.  >SIGNOFF OVAL-DISCUSSION-LIST
.  >.  >in the BODY of the message.  If you have difficulties, write to
.  OVAL-
.  >.  >[hidden email].
.  >.
.  >.  To unsubscribe, send an email message to [hidden email]
.  with
.  >.  SIGNOFF OVAL-DISCUSSION-LIST
.  >.  in the BODY of the message.  If you have difficulties, write to
.  OVAL-
.  >.  [hidden email].
.  >
.  >To unsubscribe, send an email message to [hidden email]
.  with
.  >SIGNOFF OVAL-DISCUSSION-LIST
.  >in the BODY of the message.  If you have difficulties, write to OVAL-
.  DISCUSSION-LIST-
.  >[hidden email].
.  
.  To unsubscribe, send an email message to [hidden email] with
.  SIGNOFF OVAL-DISCUSSION-LIST
.  in the BODY of the message.  If you have difficulties, write to OVAL-
.  [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].