IDS mailing list archives
RE: Snort and Nessus Signature
From: "Derick Anderson" <danderson () vikus com>
Date: Fri, 16 Sep 2005 12:54:11 -0400
-----Original Message----- From: cruxiezzzzz () yahoo com [mailto:cruxiezzzzz () yahoo com] Sent: Friday, September 16, 2005 2:53 AM To: focus-ids () securityfocus com Subject: Snort and Nessus Signature Hi All, I am doing some research into integrating Snort and Nessus together. Just wondering if there are any Snort or Nessus Experts out there that can tell me if there are using the same tables for their signatures? cause i understand that they both use the CVE and BID tracking. Not to sure bout the way their signatures are stored though. would be great if anyone out there can shed some light on this. thanks alot Crux
Snort sigs are all stored in text files and there's plenty of documentation on them. Many have BIDs and CVE numbers and some even have Nessus plugin IDs. However, there are some that have only Snort signature IDs or are generated by preprocessors. Those signatures are usually just generically bad packets. My suggestion (and I'm not a CISSP or anything, so it's just what I think, and if you already thought of this good for you): Find a way to store Snort rules and Nessus signatures in a database and use some program to generate your own flat-file Snort ruleset. Leave all Snort rules that don't have any of those IDs in the ruleset. Run Nessus and then whatever matches you get you can now correlate with Snort signatures. Add those to your ruleset and you'll have a fairly optimized set. I've occasionally considered doing something like this but have always lacked the time. I wouldn't do this if I were going to use Snort-Inline as an IPS, though. Since I[D|P]Ses are an "enumerating badness" game I'd want to block as much bad traffic as I could get away with. With an IDS, I want to know about recon activity and exploits that can actually hurt me. Derick Anderson ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Snort and Nessus Signature, (continued)
- Re: Snort and Nessus Signature Ron Gula (Sep 22)
- Re: Snort and Nessus Signature Olaf Gellert (Sep 26)
- Re: Snort and Nessus Signature Ron Gula (Sep 26)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)