IDS mailing list archives
Re: Snort and Nessus Signature
From: Michael Sierchio <kudzu () tenebras com>
Date: Mon, 19 Sep 2005 17:18:47 -0700
Vikram Phatak wrote:
It is not a simple matter to integrate Nessus & Snort since there are quite a few errors in the snort signatures, or in the supporting information for many of the snort signatures (CVE, BID, descriptions, etc.). Also, many snort signatures do not have CVE, BID references since historically they have written based upon packet captures of specific exploits, (such as "Sasser") as opposed to vulnerabilities (LSASS), which is how CVE entries are sorted. And there is no publicly available DB that I know of that correlates exploits to vulnerabilities.
You're quite right, Vikram. This is the current focus of my work -- it is somewhat of a research project. ;-) There are several commercial products that claim to do the task of correlating vulnerabilities to IDS rules. Tenable's Lightning Console is one. nCircle's nTellect appears to do this for their own IP360 vulnerability mgt system and Cisco's IDS/IPS. nCircle's vulnerability assessment tool is, IMHO, by far the best. I very much like the numerical scoring (instead of HIGH/MED/LOW), it's very good at application detection in depth. They partnered with Cisco as a business decision, clearly Cisco is ubiquitous and already in large data centers, etc. -- And those making business decisions want more than anything to be told a convincing story on "risk management" which doesn't require them to hire one of us geeky engineers. ;-) But I digress...
We (Lucid Security) have found that it was far more efficient (and reliable) to choose the OS & Application versions that we want to protect (MSFT, Linux, Solaris, Apache, IIS, SQL, etc.) and prioritize accordingly.
It would be nice[tm] not to have to perform an asset enumeration by hand -- this, in practice, isn't even possible. Desktop users install software all the time, either intentionally or... and hosts come and go on networks, as do services. So the idea of continuous scanning to perform the task is very appealing. That's one possible use of a vulnerability scanner.
We then chose the appropriate CVE entries that met the requirements of our "filter" and wrote and tested signatures based upon the vulnerability accordingly. If there was an existing signature that met our requirements, then great! But we found that was rarely the case.
Hand tooling rules is labor intensive and expensive. I'm not saying that it isn't necessary, but it isn't scalable. I am working on a correlation database -- there are many points of "associative retrieval" -- OS, Vendor, Product, Version, etc. Vulnerabilities are a part, to be sure, but potential vulnerabilities which may be inferred from the other correlatives is important. I'm not interested in attempted web exploits for which I know I am not vulnerable -- I always want to know when strange traffic originates from an internal host, or if one has responded to a potentially malicious stimulus. This is a different
I guess what I am trying to say is that without a lot of additional work, there is very little value in simply correlating Nessus to Snort via CVE & BID entries.
Right you are. The labor is not rewarded with wisdom, or much of anything particularly useful. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Snort and Nessus Signature cruxiezzzzz (Sep 16)
- Re: Snort and Nessus Signature Jason (Sep 19)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 19)
- Re: Snort and Nessus Signature Michael Sierchio (Sep 21)
- Re: Snort and Nessus Signature Ron Gula (Sep 22)
- Re: Snort and Nessus Signature Olaf Gellert (Sep 26)
- Re: Snort and Nessus Signature Ron Gula (Sep 26)
- Re: Snort and Nessus Signature Michael Sierchio (Sep 21)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
- <Possible follow-ups>
- Re: Snort and Nessus Signature barcajax (Sep 16)