Re: [RFC] Vulnerability library proposal

[Djalal Harouni <tixxdz () opendz org>]

Christian,

On Mon, Aug 08, 2011 at 09:58:05AM +1000, Christian Heinrich wrote:
> Djalal,
>
> On Sun, Aug 7, 2011 at 9:40 AM, Djalal Harouni <tixxdz () opendz org> wrote:
> > It would be really great if we can have suggestions from pen-testers and
> > from people that integrate and use Nmap in their security tools.
> > Thanks in advance.
>
> http://dradisframework.org/ integrates nmap (XML) and they offer a
I've just learned about the 'dradisframework' thanks. Yes after a quick
look it seems that there are a lot of options and tools and the
framework can also import output data from other projects.

> similar concept i.e. http://securityroots.com/vulndb/
We are designing this NSE vulns library to be flexible, so users can use
their own DB like this 'Vuln::DB' or the 'OSVDB' etc. Perhaps Nmap will
even have its own database ?
We'll just use the DB IDs of the vulnerabilities to parse and reference
entries.

If these DBs can be exported in the CSV format then it will be really
easy to parse them in Lua. The idea is taken from Marc Ruef vulscan
script [1], the script compares Nmap -sV results with the OSVDB data and
tries to report vulnerabilties.


This library will unify the output and the internal data of these vuln
scripts, and will try to offer some facilities to parse all the
discovered vulnerabilties.

> >  - "Risk factor": if present then show it (optional).
>
> Would this be the "Base Metrics" from CVSSv2?
Actually I was thinking that the "Risk factor" will be similar to
the "Risk factor" of OpenVAS.
In his email, Rob Nicholls noted that we should also print CVSS and
CVSSv2 if they are present, and we'll do it.

Of course this information should be provided by vulnerability scripts,
and we'll make it optional, we want a flexible library.

> >  - "References": reference links (optional).
>
> nmap could use a single reference value, such as CVE #.
>
> The other references (i.e. blogs, advisories, etc) could be retrieved
> when the results from Nikto, skipfish, etc are consumed, such as when
> they are uploaded to http://dradisframework.org/
>
> However, it would assist with error checking/quality if nmap also
> mentioned these values.
>
> >  - "Description": vulnerability description (optional).
>
> This could be obtained in real time with http://scap.nist.gov/
This information should also be provided by scripts and they can use
their prefered way to get it, however this type of scripts will be
'external' and I don't think that they will be included by default in
Nmap, but anyone if free to write, adapt and submit his own scripts.

We can perhaps have an 'external' scap-vuln-description.nse script that
will fetch the standard descriptions of all the discovered vulnerabilties
and update the internal data of the vulnerability library.

Thanks Christian.


[1] http://seclists.org/nmap-dev/2010/q2/726

-- 
tixxdz
http://opendz.org
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/