IDS mailing list archives
Re: Snort and Nessus Signature
From: Jason <security () brvenik com>
Date: Sat, 24 Sep 2005 11:08:09 -0400
Vikram Phatak wrote:
Hi Crux,It is not a simple matter to integrate Nessus & Snort since there are quite a few errors in the snort signatures, or in the supporting information for many of the snort signatures (CVE, BID, descriptions, etc.).
How so? Please provide a little more information.
Also, many snort signatures do not have CVE, BID references since historically they have written based upon packet captures of specific exploits, (such as "Sasser") as opposed to vulnerabilities(LSASS), which is how CVE entries are sorted.
Absolutely incorrect. LSASS is the detect method and the rules detect exploitation of a vulnerability not an exploit.
And there is no publicly available DB that I know of that correlates exploits to vulnerabilities.So - In many cases, you will need to determine which vulnerability a specific exploit was written to take advantage of, and work your way back from there.
bugtraq reference: 1565 references: 1441 arachNIDS references: 432 McAfee reference: 9 nessus reference: 676 url reference: 971 any reference: 2713 Total number of rules 3910 Bugtraq coverage: 40% cve coverage: 36% arachNIDS coverage: 11% McAfee coverage: 2% Nessus coverage: 17% url coverage: 25% Percentage coverage any reference: 70%
We (Lucid Security) have found that it was far more efficient (and reliable) to choose the OS & Application versions that we want to protect (MSFT, Linux, Solaris, Apache, IIS, SQL, etc.) and prioritize accordingly. We then chose the appropriate CVE entries that met the requirements of our "filter" and wrote and tested signatures based upon the vulnerability accordingly. If there was an existing signature that met our requirements, then great! But we found that was rarely the case.
I take it you are not in the spirit of the community and as such are either selling your wares and saying screw the rest of the community or you are simply spreading FUD. Which is it?
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Snort and Nessus Signature cruxiezzzzz (Sep 16)
- Re: Snort and Nessus Signature Jason (Sep 19)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 19)
- Re: Snort and Nessus Signature Michael Sierchio (Sep 21)
- Re: Snort and Nessus Signature Ron Gula (Sep 22)
- Re: Snort and Nessus Signature Olaf Gellert (Sep 26)
- Re: Snort and Nessus Signature Ron Gula (Sep 26)
- Re: Snort and Nessus Signature Michael Sierchio (Sep 21)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
- Re: Snort and Nessus Signature Jason (Sep 26)
- Re: Snort and Nessus Signature Vikram Phatak (Sep 26)
- <Possible follow-ups>
- Re: Snort and Nessus Signature barcajax (Sep 16)
- RE: Snort and Nessus Signature Derick Anderson (Sep 16)