IDS mailing list archives
Re: Snort and Nessus Signature
From: Teemu Schaabl <teemu () lynix net>
Date: Sat, 17 Sep 2005 09:25:32 +0200
cruxiezzzzz () yahoo com(cruxiezzzzz () yahoo com)@2005.09.16 06:52:56 -0000:
Hi All, I am doing some research into integrating Snort and Nessus together. Just wondering if there are any Snort or Nessus Experts out there that can tell me if there are using the same tables for their signatures? cause i understand that they both use the CVE and BID tracking. Not to sure bout the way their signatures are stored though. would be great if anyone out there can shed some light on this.
nessus implements a scripting language, NASL (iirc nessus attack scripting language), these nasl files (plugins) are stored in flat files. some of them have dependencies (it doesn't make sense running further scanning of applications which are definitly not installed on $TARGET). they are _not_ just "patterns". So what you got to do is extracting the actual attack and store it in your database. be aware that some of the pdtterns in these plugins will produce false positives if you just take them and match them against some logfiles/traffic/whatever without thinking about the dependencies. (keep in mind that we are talking about over 2500 plugins to go through and evaluate) what is the idea behind your "integration"? regards teemu -- "Every man takes the limits of his own field of vision for the limits of the world." - Schopenhauer
Attachment:
_bin
Description:
Current thread:
- Re: Snort and Nessus Signature, (continued)
- Re: Snort and Nessus Signature Jason (Sep 19)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 19)
- Re: Snort and Nessus Signature Michael Sierchio (Sep 21)
- Re: Snort and Nessus Signature Ron Gula (Sep 22)
- Re: Snort and Nessus Signature Olaf Gellert (Sep 26)
- Re: Snort and Nessus Signature Ron Gula (Sep 26)
- Re: Snort and Nessus Signature Michael Sierchio (Sep 21)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)