RE: [RFC] Vulnerability library proposal

["Rob Nicholls" <robert () robnicholls co uk>]

Hi Christian,

I suspect "Risk factor" is going to be similar to how Nessus displays a risk
factor for an issue in addition to the CVSS score and CVSSv2 vector (and
many others). I do think it would be a good idea to hold the CVSSv2 base
score for each vulnerability though, to save me from having to identify a
score for each issue raised by Nmap (or using the CVE to identify a score
using NVD's database, for example).

I don't think we should restrict ourselves to a single reference. Again,
Nessus often provides several references for an issue, and for issues such
as CVE-2009-3555 you might want to point people in the direction of specific
posts by OpenSSL, Microsoft or F5 rather than a generic CVE. Many users may
be casual users that don't use Nessus, Nikto or other tools, and might
appreciate as much information as possible. If people want to merge
references with those from other tools then they can probably choose to
ignore the Nmap ones or choose to merge them all (if there are duplicate
URLs then it's usually easy to de-dupe entries - I don't know offhand how
Dradis Framework handles it, but any custom Ruby script could probably get
away with a quick .uniq to remove duplicate URLs from an array).

Real-time lookups of descriptions is an interesting idea, but I would
personally prefer that the scripts don't require a third party
server/internet access to provide a description. Many of my scans are
performed on-site without internet access, and I suspect when I have
internet access on-site then many/most of those customers would not like
their vulnerabilities to be sent in real time over the internet to a third
party server. I appreciate that storing this information within the scripts
would add to the size of Nmap's downloads.

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Christian Heinrich
Sent: 08 August 2011 00:58
To: nmap-dev
Subject: Re: [RFC] Vulnerability library proposal

Djalal,

On Sun, Aug 7, 2011 at 9:40 AM, Djalal Harouni <tixxdz () opendz org> wrote:
> It would be really great if we can have suggestions from pen-testers 
> and from people that integrate and use Nmap in their security tools.
> Thanks in advance.

http://dradisframework.org/ integrates nmap (XML) and they offer a similar
concept i.e. http://securityroots.com/vulndb/

>  - "Risk factor": if present then show it (optional).

Would this be the "Base Metrics" from CVSSv2?

>  - "References": reference links (optional).

nmap could use a single reference value, such as CVE #.

The other references (i.e. blogs, advisories, etc) could be retrieved when
the results from Nikto, skipfish, etc are consumed, such as when they are
uploaded to http://dradisframework.org/

However, it would assist with error checking/quality if nmap also mentioned
these values.

>  - "Description": vulnerability description (optional).

This could be obtained in real time with http://scap.nist.gov/


--
Regards,
Christian Heinrich

http://cmlh.id.au/contact
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/