IDS mailing list archives
Re: Snort and Nessus Signature
From: Vikram Phatak <vphatak () lucidsecurity com>
Date: Sat, 17 Sep 2005 00:28:04 -0400
Hi Crux,It is not a simple matter to integrate Nessus & Snort since there are quite a few errors in the snort signatures, or in the supporting information for many of the snort signatures (CVE, BID, descriptions, etc.). Also, many snort signatures do not have CVE, BID references since historically they have written based upon packet captures of specific exploits, (such as "Sasser") as opposed to vulnerabilities (LSASS), which is how CVE entries are sorted. And there is no publicly available DB that I know of that correlates exploits to vulnerabilities.
So - In many cases, you will need to determine which vulnerability a specific exploit was written to take advantage of, and work your way back from there.
We (Lucid Security) have found that it was far more efficient (and reliable) to choose the OS & Application versions that we want to protect (MSFT, Linux, Solaris, Apache, IIS, SQL, etc.) and prioritize accordingly. We then chose the appropriate CVE entries that met the requirements of our "filter" and wrote and tested signatures based upon the vulnerability accordingly. If there was an existing signature that met our requirements, then great! But we found that was rarely the case. The good news was that our resulting signature base could then be correlated not just by Nessus, but by OS Version, Application version, etc. so that we could use multiple methods to discover and profile devices on the network and increase the confidence of our correlated results..
I guess what I am trying to say is that without a lot of additional work, there is very little value in simply correlating Nessus to Snort via CVE & BID entries. I am not trying to discourage you, but thought you might want to know what you are getting into prior to investing a lot of time and energy. If you have any additional questions, please feel free to contact me. Good luck with your efforts!
Best Regards, -Vik -- Vikram Phatak CTO, Lucid Security http://www.lucidsecurity.com cruxiezzzzz () yahoo com wrote:
Hi All,I am doing some research into integrating Snort and Nessus together. Just wondering if there are any Snort or Nessus Experts out there that can tell me if there are using the same tables for their signatures? cause i understand that they both use the CVE and BID tracking. Not to sure bout the way their signatures are stored though. would be great if anyone out there can shed some light on this.thanks alot Crux ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Snort and Nessus Signature cruxiezzzzz (Sep 16)
- Re: Snort and Nessus Signature Jason (Sep 19)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 19)
- Re: Snort and Nessus Signature Michael Sierchio (Sep 21)
- Re: Snort and Nessus Signature Ron Gula (Sep 22)
- Re: Snort and Nessus Signature Olaf Gellert (Sep 26)
- Re: Snort and Nessus Signature Ron Gula (Sep 26)
- Re: Snort and Nessus Signature Michael Sierchio (Sep 21)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)