Snort mailing list archives
Re: CVEs -> Snort Rules
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sat, 14 Nov 2015 22:15:14 +0000
Nate, Yes. Generic rules don't have every CVE they cover for obvious reasons. But when our analysts write rules to a particular CVE, they put it in the references and therefore the documentation. If an older rule catches a newer CVE, we update the references on the older rule. -- Joel Esler Manager, Talos Group Sent from my iPhone On Nov 14, 2015, at 4:21 PM, Nate B. Clark <nateclark () tyndale com<mailto:nateclark () tyndale com>> wrote: Hi - I've looked in the vulnerability database/signatures/policy/Snort.org. They do have some good specifics and some CVEs are listed in the available research. I think what I'm running into is that a single rule might relate to multiple CVEs. But it doesn't look like the rules, etc., are updated with this information. For example, a generic SQL injection rule might properly detect a Joomla vulnerability listed in the CVE. But that information isn't available somewhere already. We need to spend the time to research and test each CVE against existing rules to find a good match. But overall, we were wondering if Cisco or the community already has an existing effort to tag CVEs to rules that we could use and contribute to; might be collectively beneficial. I really don't know, but I imagine it might be a significant benefit similar to the approach taken with the Talos rules for Microsoft Security Bulletins (which is great BTW). Thanks again for your time and expertise - I really appreciate it. Nate Clark Network Administrator Tyndale House Publishers 351 Executive Dr. Carol Stream, IL 60188 From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Saturday, November 14, 2015 12:48 PM To: Nate B. Clark <nateclark () tyndale com<mailto:nateclark () tyndale com>> Cc: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: Re: [Snort-sigs] CVEs -> Snort Rules You can search for the CVEs in the policy application interface and it will show you the applicable rules, or you can search for the CVE on Snort.org<http://snort.org>. -- Joel Esler Manager, Talos Group Sent from my iPhone On Nov 14, 2015, at 1:01 PM, Nate B. Clark <nateclark () tyndale com<mailto:nateclark () tyndale com>> wrote: Hi - In researching specific software vulnerabilities one can easily find CVEs that denote the relevant information. For example, https://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html provides CVE Numbers: CVE-2015-7297, CVE-2015-7857, CVE-2015-7858. Is there any resource out there (from Cisco/Talos/Sourcefire or otherwise) that has the ability to determine if an existing Sort Rule maps to a published CVE? The ultimate goal would be to ensure the relevant rules are enabled and protect against the Joomla vulnerabilities until the software can be properly patched. We also wish to do the same with some specific Oracle CVEs, etc.. We are using Cisco FireSIGHT Management Center. Thanks, Nate Clark Network Administrator Tyndale House Publishers 351 Executive Dr. Carol Stream, IL 60188 ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- CVEs -> Snort Rules Nate B. Clark (Nov 14)
- Re: CVEs -> Snort Rules Y M (Nov 14)
- Re: CVEs -> Snort Rules Joel Esler (jesler) (Nov 14)
- Message not available
- Re: CVEs -> Snort Rules Joel Esler (jesler) (Nov 14)
- Message not available