Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Snort and Nessus Signature

from [Vikram Phatak] Network Security [Permanent Link]
Subject: Re: Snort and Nessus Signature
Date: Sat, 17 Sep 2005 00:28:04 -0400 
Hi Crux,

It is not a simple matter to integrate Nessus & Snort since there are quite a few errors in the snort signatures, or in the supporting information for many of the snort signatures (CVE, BID, descriptions, etc.). Also, many snort signatures do not have CVE, BID references since historically they have written based upon packet captures of specific exploits, (such as "Sasser") as opposed to vulnerabilities (LSASS), which is how CVE entries are sorted. And there is no publicly available DB that I know of that correlates exploits to vulnerabilities.

So - In many cases, you will need to determine which vulnerability a specific exploit was written to take advantage of, and work your way back from there.

We (Lucid Security) have found that it was far more efficient (and reliable) to choose the OS & Application versions that we want to protect (MSFT, Linux, Solaris, Apache, IIS, SQL, etc.) and prioritize accordingly. We then chose the appropriate CVE entries that met the requirements of our "filter" and wrote and tested signatures based upon the vulnerability accordingly. If there was an existing signature that met our requirements, then great! But we found that was rarely the case. The good news was that our resulting signature base could then be correlated not just by Nessus, but by OS Version, Application version, etc. so that we could use multiple methods to discover and profile devices on the network and increase the confidence of our correlated results..

I guess what I am trying to say is that without a lot of additional work, there is very little value in simply correlating Nessus to Snort via CVE & BID entries. I am not trying to discourage you, but thought you might want to know what you are getting into prior to investing a lot of time and energy. If you have any additional questions, please feel free to contact me. Good luck with your efforts!

Best Regards,

   -Vik
--

Vikram Phatak
CTO, Lucid Security
http://www.lucidsecurity.com



cruxiezzzzz@yahoo.com wrote:

Hi All,

I am doing some research into integrating Snort and Nessus together. Just wondering if there are any Snort or Nessus Experts out there that can tell me if there are using the same tables for their signatures? cause i understand that they both use the CVE and BID tracking. Not to sure bout the way their signatures are stored though. would be great if anyone out there can shed some light on this.

thanks alot

Crux

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Auto-sensing for IPS devices, Packet Man
Next by Date:  Re: Snort and Nessus Signature, Teemu Schaabl
Previous by Thread:  Re: Snort and Nessus Signature, Jason
Next by Thread:  Re: Snort and Nessus Signature, Michael Sierchio
Indexes:  [Date] [Thread] [Top] [All Lists]