Re: Snort and Nessus Signature

Mon, 26 Sep 2005 14:04:56 -0700 


Vikram Phatak wrote:

Hi Crux,


It is not a simple matter to integrate Nessus & Snort since there are 
quite a few errors in the snort signatures, or in the supporting 
information for many of the snort signatures (CVE, BID, descriptions, 
etc.).  


How so? Please provide a little more information.


Also, many snort signatures do not have CVE, BID references 
since historically they have written based upon packet captures of 
specific exploits,  (such as "Sasser") as opposed to vulnerabilities

(LSASS), which is how CVE entries are sorted.



Absolutely incorrect. LSASS is the detect method and the rules detect 
exploitation of a vulnerability not an exploit.



  And there is no publicly 
available DB that I know of that correlates exploits to vulnerabilities.



So - In many cases, you will need to determine which vulnerability a 
specific exploit was written to take advantage of, and work your way 
back from there.


bugtraq reference: 1565
references: 1441
arachNIDS references: 432
McAfee reference: 9
nessus reference: 676
url reference: 971
any reference: 2713

Total number of rules 3910

Bugtraq coverage: 40%
cve coverage: 36%
arachNIDS coverage: 11%
McAfee coverage: 2%
Nessus coverage: 17%
url coverage: 25%

Percentage coverage any reference: 70%




We (Lucid Security) have found that it was far more efficient (and 
reliable) to choose the OS & Application versions that we want to 
protect (MSFT, Linux, Solaris, Apache, IIS, SQL, etc.) and prioritize 
accordingly.  We then chose the appropriate CVE entries that met the 
requirements of our "filter" and wrote and tested signatures based upon 
the vulnerability accordingly.  If there was an existing signature that 
met our requirements, then great! But we found that was rarely the 
case.  



I take it you are not in the spirit of the community and as such are 
either selling your wares and saying screw the rest of the community or 
you are simply spreading FUD. Which is it?



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.

------------------------------------------------------------------------























					Reply via email to