Re: Snort and Nessus Signature

[Michael Sierchio <kudzu () tenebras com>]

Vikram Phatak wrote:

> It is not a simple matter to integrate Nessus & Snort since there are 
> quite a few errors in the snort signatures, or in the supporting 
> information for many of the snort signatures (CVE, BID, descriptions, 
> etc.).  Also, many snort signatures do not have CVE, BID references 
> since historically they have written based upon packet captures of 
> specific exploits, (such as "Sasser") as opposed to vulnerabilities 
> (LSASS), which is how CVE entries are sorted.  And there is no publicly 
> available DB that I know of that correlates exploits to vulnerabilities.

You're quite right, Vikram.  This is the current focus of my work --
it is somewhat of a research project. ;-)

There are several commercial products that claim to do the task of
correlating vulnerabilities to IDS rules.  Tenable's Lightning
Console is one.  nCircle's nTellect appears to do this
for their own IP360 vulnerability mgt system and Cisco's IDS/IPS.
nCircle's vulnerability assessment tool is, IMHO, by far the best.
I very much like the numerical scoring (instead of HIGH/MED/LOW),
it's very good at application detection in depth.  They partnered
with Cisco as a business decision, clearly Cisco is ubiquitous
and already in large data centers, etc.  -- And those making
business decisions want more than anything to be told a convincing
story on "risk management" which doesn't require them to hire
one of us geeky engineers. ;-)  But I digress...

> We (Lucid Security) have found that it was far more efficient (and 
> reliable) to choose the OS & Application versions that we want to 
> protect (MSFT, Linux, Solaris, Apache, IIS, SQL, etc.) and prioritize 
> accordingly.

It would be nice[tm] not to have to perform an asset enumeration
by hand -- this, in practice, isn't even possible.  Desktop users
install software all the time, either intentionally or...  and
hosts come and go on networks, as do services.  So the idea of
continuous scanning to perform the task is very appealing.  That's
one possible use of a vulnerability scanner.

>  We then chose the appropriate CVE entries that met the 
> requirements of our "filter" and wrote and tested signatures based upon 
> the vulnerability accordingly.  If there was an existing signature that 
> met our requirements, then great! But we found that was rarely the 
> case. 

Hand tooling rules is labor intensive and expensive.  I'm not saying
that it isn't necessary, but it isn't scalable.  I am working on
a correlation database -- there are many points of "associative
retrieval" -- OS, Vendor, Product, Version, etc.  Vulnerabilities
are a part, to be sure, but potential vulnerabilities which may be
inferred from the other correlatives is important.

I'm not interested in attempted web exploits for which I know I
am not vulnerable -- I always want to know when strange traffic
originates from an internal host, or if one has responded to
a potentially malicious stimulus.  This is a different

> I guess what I am trying to say is that without a lot of additional 
> work, there is very little value in simply correlating Nessus to Snort 
> via CVE & BID entries. 

Right you are.  The labor is not rewarded with wisdom, or much of
anything particularly useful.







------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------