IDS mailing list archives

RE: Snort and Nessus Signature

From: "Derick Anderson" <danderson () vikus com>
Date: Fri, 16 Sep 2005 12:54:11 -0400

-----Original Message-----
From: cruxiezzzzz () yahoo com [mailto:cruxiezzzzz () yahoo com] 
Sent: Friday, September 16, 2005 2:53 AM
To: focus-ids () securityfocus com
Subject: Snort and Nessus Signature

Hi All,

I am doing some research into integrating Snort and Nessus together. 
Just wondering if there are any Snort or Nessus Experts out 
there that can tell me if there are using the same tables for 
their signatures? 
cause i understand that they both use the CVE and BID 
tracking. Not to sure bout the way their signatures are 
stored though. would be great if anyone out there can shed 
some light on this.

thanks alot

Crux


Snort sigs are all stored in text files and there's plenty of
documentation on them. Many have BIDs and CVE numbers and some even have
Nessus plugin IDs. However, there are some that have only Snort
signature IDs or are generated by preprocessors. Those signatures are
usually just generically bad packets.

My suggestion (and I'm not a CISSP or anything, so it's just what I
think, and if you already thought of this good for you):

Find a way to store Snort rules and Nessus signatures in a database and
use some program to generate your own flat-file Snort ruleset. Leave all
Snort rules that don't have any of those IDs in the ruleset. Run Nessus
and then whatever matches you get you can now correlate with Snort
signatures. Add those to your ruleset and you'll have a fairly optimized
set.

I've occasionally considered doing something like this but have always
lacked the time. I wouldn't do this if I were going to use Snort-Inline
as an IPS, though. Since I[D|P]Ses are an "enumerating badness" game I'd
want to block as much bad traffic as I could get away with. With an IDS,
I want to know about recon activity and exploits that can actually hurt
me.

Derick Anderson

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Snort and Nessus Signature, (continued)
- - - Re: Snort and Nessus Signature Ron Gula (Sep 22)
    - Re: Snort and Nessus Signature Olaf Gellert (Sep 26)
    - Re: Snort and Nessus Signature Ron Gula (Sep 26)
  - Re: Snort and Nessus Signature Jason (Sep 26)
    - Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
    - Re: Snort and Nessus Signature Jason (Sep 26)
    - Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
- Re: Snort and Nessus Signature Teemu Schaabl (Sep 19)
- Re: Snort and Nessus Signature Marco Ceci (Sep 26)
- Re: Snort and Nessus Signature barcajax (Sep 16)
- RE: Snort and Nessus Signature Derick Anderson (Sep 16)