Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Snort and Nessus Signature

from [Jason] Network Security [Permanent Link]
Subject: Re: Snort and Nessus Signature
Date: Sat, 24 Sep 2005 11:08:09 -0400


Vikram Phatak wrote: 
Hi Crux,

It is not a simple matter to integrate Nessus & Snort since there are quite a few errors in the snort signatures, or in the supporting information for many of the snort signatures (CVE, BID, descriptions, etc.). 

How so? Please provide a little more information.

Also, many snort signatures do not have CVE, BID references since historically they have written based upon packet captures of specific exploits, (such as "Sasser") as opposed to vulnerabilities
(LSASS), which is how CVE entries are sorted.

Absolutely incorrect. LSASS is the detect method and the rules detect exploitation of a vulnerability not an exploit.

And there is no publicly available DB that I know of that correlates exploits to vulnerabilities.

So - In many cases, you will need to determine which vulnerability a specific exploit was written to take advantage of, and work your way back from there. 

bugtraq reference: 1565
references: 1441
arachNIDS references: 432
McAfee reference: 9
nessus reference: 676
url reference: 971
any reference: 2713

Total number of rules 3910

Bugtraq coverage: 40%
cve coverage: 36%
arachNIDS coverage: 11%
McAfee coverage: 2%
Nessus coverage: 17%
url coverage: 25%

Percentage coverage any reference: 70%


We (Lucid Security) have found that it was far more efficient (and reliable) to choose the OS & Application versions that we want to protect (MSFT, Linux, Solaris, Apache, IIS, SQL, etc.) and prioritize accordingly. We then chose the appropriate CVE entries that met the requirements of our "filter" and wrote and tested signatures based upon the vulnerability accordingly. If there was an existing signature that met our requirements, then great! But we found that was rarely the case.

I take it you are not in the spirit of the community and as such are either selling your wares and saying screw the rest of the community or you are simply spreading FUD. Which is it?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort and Nessus Signature, Vikram Phatak
Next by Date:  Re: Snort and Nessus Signature, Vikram Phatak
Previous by Thread:  Re: Snort and Nessus Signature, Ron Gula
Next by Thread:  Re: Snort and Nessus Signature, Vikram Phatak
Indexes:  [Date] [Thread] [Top] [All Lists]