Re: Snort and Nessus Signature

[Teemu Schaabl <teemu () lynix net>]

cruxiezzzzz () yahoo com(cruxiezzzzz () yahoo com)@2005.09.16 06:52:56 -0000:
> Hi All,
>  
> I am doing some research into integrating Snort and Nessus together. 
> Just wondering if there are any Snort or Nessus Experts out there that 
> can tell me if there are using the same tables for their signatures? 
> cause i understand that they both use the CVE and BID tracking. Not to sure 
> bout the way their signatures are stored though. would be great if 
> anyone out there can shed some light on this.
>  

nessus implements a scripting language, NASL (iirc nessus attack
scripting language), these nasl files (plugins) are stored in flat
files. some of them have dependencies (it doesn't make sense running
further scanning of applications which are definitly not installed on
$TARGET). they are _not_ just "patterns". 
So what you got to do is extracting the actual attack and store it in
your database. be aware that some of the pdtterns in these plugins 
will produce false positives if you just take them and match them
against some logfiles/traffic/whatever without thinking about the 
dependencies. (keep in mind that we are talking about over 2500
plugins to go through and evaluate)

what is the idea behind your "integration"?

regards
teemu
-- 
"Every man takes the limits of his own field of vision
 for the limits of the world." - Schopenhauer

Attachment: _bin
Description: