Re: CVEs -> Snort Rules

["Joel Esler (jesler)" <jesler () cisco com>]

Nate,

Yes. Generic rules don't have every CVE they cover for obvious reasons.  But when our analysts write rules to a 
particular CVE, they put it in the references and therefore the documentation.  If an older rule catches a newer CVE, 
we update the references on the older rule.

--
Joel Esler
Manager, Talos Group
Sent from my iPhone

On Nov 14, 2015, at 4:21 PM, Nate B. Clark <nateclark () tyndale com<mailto:nateclark () tyndale com>> wrote:

Hi -  I've looked in the vulnerability database/signatures/policy/Snort.org.  They do have some good specifics and some 
CVEs are listed in the available research.

I think what I'm running into is that a single rule might relate to multiple CVEs.  But it doesn't look like the rules, 
etc., are updated with this information.  For example, a generic SQL injection rule might properly detect a Joomla 
vulnerability listed in the CVE.  But that information isn't available somewhere already.  We need to spend the time to 
research and test each CVE against existing rules to find a good match.

But overall, we were wondering if Cisco or the community already has an existing effort to tag CVEs to rules that we 
could use and contribute to; might be collectively beneficial.  I really don't know, but I imagine it might be a 
significant benefit similar to the approach taken with the Talos rules for Microsoft Security Bulletins (which is great 
BTW).

Thanks again for your time and expertise - I really appreciate it.

Nate Clark
Network Administrator
Tyndale House Publishers
351 Executive Dr. Carol Stream, IL 60188

From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: Saturday, November 14, 2015 12:48 PM
To: Nate B. Clark <nateclark () tyndale com<mailto:nateclark () tyndale com>>
Cc: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>
Subject: Re: [Snort-sigs] CVEs -> Snort Rules

You can search for the CVEs in the policy application interface and it will show you the applicable rules, or you can 
search for the CVE on Snort.org<http://snort.org>.
--
Joel Esler
Manager, Talos Group
Sent from my iPhone

On Nov 14, 2015, at 1:01 PM, Nate B. Clark <nateclark () tyndale com<mailto:nateclark () tyndale com>> wrote:
Hi -

In researching specific software vulnerabilities one can easily find CVEs that denote the relevant information.   For 
example, https://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html  provides CVE Numbers: 
CVE-2015-7297, CVE-2015-7857, CVE-2015-7858.

Is there any resource out there (from Cisco/Talos/Sourcefire or otherwise) that has the ability to determine if an 
existing Sort Rule maps to a published CVE?  The ultimate goal would be to ensure the relevant rules are enabled and 
protect against the Joomla vulnerabilities until the software can be properly patched.   We also wish to do the same 
with some specific Oracle CVEs, etc..

We are using Cisco FireSIGHT Management Center.

Thanks,

Nate Clark
Network Administrator
Tyndale House Publishers
351 Executive Dr. Carol Stream, IL 60188

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!