09-05-2017 06:25 AM - edited 03-12-2019 07:29 AM
Hi,
I have a rather worrying situation where the analysis presented via the SNTC portal differs significantly to that contained with any report generated and downloaded.
Specifically this relates to PSIRT alerts. What differs is the number of devices (chassis) and the vulnerability status.
For an example taking the following alert description "Vulnerabilities in Cisco IOS Secure Shell Server"
Within SNTC under Alerts - All PSIRTs, I see that for one of my inventories 4 devices are listed as being 'vulnerable', but when I look at a Product Alerts Report (spreadsheet) the same devices are listed as being 'potentially vulnerable". Which is correct?
As another example alert description "Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability (CVE-2015-0646)" shows that via SNTC 484 are 'vulnerable', whereas within the downloaded spreadsheet, 160 devices are reported, 17 as being 'potentially vulnerable' and 143 as 'vulnerable'. Again which information source is correct, if indeed any are?
Regards,
Graham
09-05-2017 10:16 AM
Hello Graham,
Currently the SNTC Portal displays a potentially vulnerable and vulnerable device as vulnerable on the online PSIRT reports. You can reference the offline alerts report to get more granular results and verify if a device is reflecting only as potentially vulnerable. A potentially vulnerable device means that the SNTC Portal was not able to completely validate the alert based on the collected device details, and it may require a manual validation.
Thank you,
Jarrett
09-07-2017 12:20 PM
Hi Graham,
Please let us know if you have further questions. If there is nothing further, please mark this as solved.
Thanks!
Cheri
09-08-2017 01:38 AM
Hi,
Thanks for the replies, but I'm not entirely happy with the explanation.
Given that the explicit status of each device, WRT any specific PSIRT alert being either vulnerable or potentially vulnerable, is known (since this is provided in the report), I fail to see why this distinction is not shown within the portal view?
Furthermore there is no explanation as to why the summary counts differ between the portal view and the downloaded report?
Rgds,
Graham
09-08-2017 04:03 AM
You're right Graham. CSCvd67358 was filed to address this. It will be fixed in a future release. Stay tuned.
09-08-2017 04:19 AM
Hi Chris,
Thanks for the update and I'm pleased to see a case opened to resolve it.
Will this bug case also address the significant differences in the counts (of effected devices)?
In the interim which counts do we use, the counts shown via the portal or those reported within a download spreadsheet?
Rgds,
Graham
09-08-2017 04:47 AM
09-14-2017 08:09 AM
Thanks for the info you sent me. It helped me to visualize same as you were seeing. There isn't a count mismatch. There is a title/description mismatch that makes it appear that way to you. This is CSCvd87947. If you summarize in the excel by Alert ID instead, you'll see the counts match.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide