Пересл: Nessus activity detection quest

[Oleg Ruso <soy_siberiano () yahoo com>]

      пятница, 24 июля 2015 12:38 Oleg Ruso <soy_siberiano () yahoo com> писал(а):
   

 Many thanks for answers. 

For Joel Esler 

Yes, i`ve got a portscan alerts of preprocessor sfportscan, and i think, thereis some reason for a rules detection an 
addition.  What necesary to give a scan possible? I`de like to prevent it at all. 

Nessus Attack Analysis Using Snort | HITBSecNews:
|   |
|   |  |   |   |   |   |   |
| Nessus Attack Analysis Using Snort | HITBSecNewsBy: spoonfork --] 1.0 Introduction This article focuses on analysis 
of Nessus attacks using Snort... |
|  |
| Просмотреть на news.hitb.org | Предварительный просмотр с помощью Yahoo |
|  |
|   |


-------------------------------------------
YM
I`m waiting for the sid-s That`s very interesting.

Alex 


     пятница, 24 июля 2015 0:05 Y M <snort () outlook com> писал(а):
   

 #yiv9717404880 --.yiv9717404880hmmessage P{margin:0px;padding:0px;}#yiv9717404880 
body.yiv9717404880hmmessage{font-size:12pt;font-family:Calibri;}#yiv9717404880 Correct. But what I have seen - based on 
limited testing - and some discussions over the Nessus forums, is that Nessus would enable/disable plugins 
automatically based on the services/ports/applications discovered even if I explicitly enable/disable plugins. I have 
seen the rules I mentioned earlier trigger on PCI scans, Advanced Network Scans, and Web Application Scans.
This makes me believe that these are triggering during the initial discovery phase of a Nessus scan. However, I haven't 
verified this assumption by capturing packets or otherwise.
YM

From: jthoel () gmail com
Date: Thu, 23 Jul 2015 13:32:25 -0400
Subject: Re: [Snort-users] Nessus activity detection quest
To: snort () outlook com
CC: soy_siberiano () yahoo com; snort-users () lists sourceforge net

Wouldn't it also depend on the plugins that you are using with Nessus?
On Thu, Jul 23, 2015 at 1:10 PM, Y M <snort () outlook com> wrote:

There are about 3-5 signatures that almost always trigger when a Nessus  scan is initiated with different scan types, 
at least in all cases that I was able to verify. While these signatures do not identify that a Nessus scan in 
particular is ongoing, but the fact of seeing them trigger together is indicative of a Nessus scan in all cases I 
encountered. I will have to dig up some old data to get the sid(s) of these signatures.
YM

From: jesler () cisco com
To: soy_siberiano () yahoo com
Date: Thu, 23 Jul 2015 11:06:35 +0000
CC: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Nessus activity detection quest

So, you are doing a portscan, and the only alerts you see are portscans?
Nessus doesn't actually send exploits at a machine, it scans for the presence of characteristics that would make the 
machine vulnerable to an exploit.  There's nothing for Snort to detect, except the portscan part really.  

--Joel Esler Manager, Threat Intelligence and Open SourceTalos GroupSent from my iPhone
On Jul 23, 2015, at 1:17 AM, Oleg Ruso <soy_siberiano () yahoo com> wrote:


Hi List!

snort-2.9.7.0

I`m looking for some Snort rules for a Nessus activity detection.
Got an another alerts, but my Snort does not reveal a Nessus activity.
The preprocessor sfportscan detection only i see.

Regards, Alex


------------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
_______________________________________________Snort-users mailing listSnort-users@lists.sourceforge.netGo to this URL 
to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list 
archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay 
current on all the latest Snort news! 
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


 
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

   

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!