Snort mailing list archives
Re: snort and nessus
From: counter.spy () gmx de
Date: Tue, 19 Mar 2002 09:32:21 +0100 (MET)
Hi Allen, difficult question to answer. This will take a whole lot of work, I think. I have done some testing with nessus on snort last week as part of evaluation of snort for my diploma thesis. My aim was to perform some chosen few scans rather than full scans. The nessus attacks are not all similar, i.e. some of them have various dependencies, e.g. the SSH exploits in section "Gain a shell remotely" depend on the results of the SSH version detection in section "General". Whithout this information the SSH exploits don't even start. Another issue is that snort sometimes detects the attempt, sometimes it detects only the successful attempt, that depends on the rule and the rule depends on the attack. Ergo, what you need to do is: -activate only those nessus attacks that fit to your environment (i.e. existent services) -check for dependencies in nessus -check for the appropriate snort rules and comment out those you don't need. -check which snortrules detect the attempt and what rules detect only the successful attempt. In order to be able to detect other attacks, too, you should consider setting up a dedicated sensor for this purpose. So if you have checked your environment for vulnerabilities and set up a dedicated sensor with rules that fit to those vulnerabilities, you should be able to detect only those attacks that were successful with your dedicated snortsensor. But you really should try to fix your security holes in the first place ;) I hope that helps somehow. Greetings, D. Liesen --------------------------original message------------------------------
Hi, Serious question this, very important. I'd like to scan my machines for vulnerabilities with nessus and then automatically make snort only report positive attacks for those particular vulnerablities. In theory (and I'll take the chance) anything else is a false positive. Has anyone done this, thought of doing this, tried this? Or any other comments? Allen Baranov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and nessus Allen Baranov (Mar 18)
- Re: snort and nessus counter . spy (Mar 19)