Fwd: Vulscan - NSE script for vulnerability detection based on version detection

[Paulino Calderon Pale <paulino () calderonpale com>]

Jiayi, 

I like the idea of not displaying the same alert from different databases. However, I don’t think the best approach is 
to unify the databases as it will required a lot of work to keep up to date as you mentioned. Do we know how often they 
publish these updates? Maybe we can do the matching using the vulnerability name instead. I know this will not be 100% 
reliable but it beats having to maintain a database that needs frequent updates. 

Ps. I forwarded your email to the list to include them in the discussion.

> Begin forwarded message:
>
> From: Jiayi Ye <yejiayily () gmail com>
> Subject: Re: Vulscan - NSE script for vulnerability detection based on version detection
> Date: June 10, 2015 at 10:02:17 PM CDT
> To: Paulino Calderon Pale <paulino () calderonpale com>
>
> Hey, as Patricio Castagnaro mentioned in the mail, did he mean that if a vuln both in cve db and securityfoocus db, 
> it's better to show one alert? Considering that we want to update the database and we want to show only one alert, 
> could we maintain a vuln db which is extracted from other dbs? And we update our db periodly, users can update their 
> db through a link to our db. But it seemed that it needs a amount of manual work to maintain our own vuln db. (The 
> mail is the same with the message I sent you in Skype.)
>
> On Thu, Jun 11, 2015 at 6:21 AM, Paulino Calderon Pale <paulino () calderonpale com <mailto:paulino () calderonpale 
> com>> wrote:
> Hi list,
>
> Jiayi is working on improving/updating Marc Ruef’s vulscan script (http://www.computec.ch/projekte/vulscan/? 
> <http://www.computec.ch/projekte/vulscan/?>) to finally get it ready for inclusion. For those unfamiliar with the 
> script, it takes the results of version detection and matches possible vulnerabilities existing in several databases 
> (cve, exploitdb, openvas, osvdb, securityfocus, securitytracker, xforce, scipvuldb) that will be distributed 
> separately. The script aims to turn nmap into a vulnerability scanner that takes advantage of our powerful version 
> detection engine.
>
> Some time ago Marc even posted a second enhanced version of the script 
> (http://seclists.org/fulldisclosure/2013/Aug/166 <http://seclists.org/fulldisclosure/2013/Aug/166>) but unfortunately 
> it seems it slipped by our attention. This week I asked Marc if he got any feedback and he mentioned something about 
> Fyodor recommending him to include an ‘update databases’ function in the script but I wanted to see if others had 
> also different comments/issues. The script seems to work as expected as it is. However, we have a couple of different 
> ideas for improvements like:
> * The script can suggest the users to run other NSE scripts if the CVE id matches (and we have a script for it)
> * Reducing the number of false positives by not printing information if version detection was not accurate enough. 
>
> Does anyone remember if there was another reason why it didn’t get included? Can you think of other improvements that 
> can done?  We would love to hear your ideas!
>
> Cheers.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/