Hi Crux,
It is not a simple matter to integrate Nessus & Snort since there are
quite a few errors in the snort signatures, or in the supporting
information for many of the snort signatures (CVE, BID, descriptions,
etc.). Also, many snort signatures do not have CVE, BID references
since historically they have written based upon packet captures of
specific exploits, (such as "Sasser") as opposed to vulnerabilities
(LSASS), which is how CVE entries are sorted. And there is no publicly
available DB that I know of that correlates exploits to vulnerabilities.
So - In many cases, you will need to determine which vulnerability a
specific exploit was written to take advantage of, and work your way
back from there.
We (Lucid Security) have found that it was far more efficient (and
reliable) to choose the OS & Application versions that we want to
protect (MSFT, Linux, Solaris, Apache, IIS, SQL, etc.) and prioritize
accordingly. We then chose the appropriate CVE entries that met the
requirements of our "filter" and wrote and tested signatures based upon
the vulnerability accordingly. If there was an existing signature that
met our requirements, then great! But we found that was rarely the
case. The good news was that our resulting signature base could then be
correlated not just by Nessus, but by OS Version, Application version,
etc. so that we could use multiple methods to discover and profile
devices on the network and increase the confidence of our correlated
results..
I guess what I am trying to say is that without a lot of additional
work, there is very little value in simply correlating Nessus to Snort
via CVE & BID entries. I am not trying to discourage you, but thought
you might want to know what you are getting into prior to investing a
lot of time and energy. If you have any additional questions, please
feel free to contact me. Good luck with your efforts!
Best Regards,
-Vik
--
Vikram Phatak
CTO, Lucid Security
http://www.lucidsecurity.com
[EMAIL PROTECTED] wrote:
Hi All,
I am doing some research into integrating Snort and Nessus together.
Just wondering if there are any Snort or Nessus Experts out there that
can tell me if there are using the same tables for their signatures?
cause i understand that they both use the CVE and BID tracking. Not to sure
bout the way their signatures are stored though. would be great if
anyone out there can shed some light on this.
thanks alot
Crux
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
