Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Snort and Nessus Signature

from [Derick Anderson] Network Security [Permanent Link]
Subject: RE: Snort and Nessus Signature
Date: Fri, 16 Sep 2005 12:54:11 -0400 
 


-----Original Message-----
From: cruxiezzzzz@yahoo.com [mailto:cruxiezzzzz@yahoo.com] 
Sent: Friday, September 16, 2005 2:53 AM
To: focus-ids@securityfocus.com
Subject: Snort and Nessus Signature

Hi All,
 
I am doing some research into integrating Snort and Nessus together. 
Just wondering if there are any Snort or Nessus Experts out 
there that can tell me if there are using the same tables for 
their signatures? 
cause i understand that they both use the CVE and BID 
tracking. Not to sure bout the way their signatures are 
stored though. would be great if anyone out there can shed 
some light on this.
 
thanks alot
 
Crux


Snort sigs are all stored in text files and there's plenty of
documentation on them. Many have BIDs and CVE numbers and some even have
Nessus plugin IDs. However, there are some that have only Snort
signature IDs or are generated by preprocessors. Those signatures are
usually just generically bad packets.

My suggestion (and I'm not a CISSP or anything, so it's just what I
think, and if you already thought of this good for you):

Find a way to store Snort rules and Nessus signatures in a database and
use some program to generate your own flat-file Snort ruleset. Leave all
Snort rules that don't have any of those IDs in the ruleset. Run Nessus
and then whatever matches you get you can now correlate with Snort
signatures. Add those to your ruleset and you'll have a fairly optimized
set.

I've occasionally considered doing something like this but have always
lacked the time. I wouldn't do this if I were going to use Snort-Inline
as an IPS, though. Since I[D|P]Ses are an "enumerating badness" game I'd
want to block as much bad traffic as I could get away with. With an IDS,
I want to know about recon activity and exploits that can actually hurt
me.

Derick Anderson

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort and Nessus Signature, barcajax
Next by Date:  Tippingpoint, dave . anon
Previous by Thread:  Re: Snort and Nessus Signature, barcajax
Next by Thread:  Tippingpoint, dave . anon
Indexes:  [Date] [Thread] [Top] [All Lists]