On Monday 22 April 2002 06:09 pm, Renaud Deraison wrote:
> On Tue, Apr 23, 2002 at 08:38:26AM +1000, Marc Bown wrote:
> > On this note - would it be a good idea to create a database of snort
> > fingerprints for each nessus plugin? Maybe developers could submit
> > snort fingerprints for plugins as they are created?
> >
> The snort guys have been sending me CVE updates recently (thanks Brian!)
> so you can use CVE IDs to do Nessus-to-Snort mappings.
Brian rocks ;)
This perl script will create a snort-like "map" of nessus plugins to their
appropriate references. This is comparable to the "sid-msg.map" file in the
snort distribution. I wrote a handful of scripts to suck this all into a
database (snort, nessus, cve, can, bugtraq, etc) that Xram_Lrak designed, if
anyone is interested I will make all this available. I was planning on doing
a full blown everything-everything correlation through the database and
making it public, but lack of time and percieved interest dropped it down in
priority until I forgot about it.
Usage:
ls *.nasl | xargs -i perl create_map.pl {} >> nessus-msg.map
---[ begin create_map.pl
#!/usr/bin/perl -w
##################
my $plugin = shift() || "-";
my $plugin_id = 0;
my $plugin_cve = 0;
my $plugin_bt = 0;
open(PLUGIN, "<" . $plugin) || die "could not open plugin: $!";
while (<PLUGIN>)
{
if ($plugin_id && $plugin_cve) { next; }
if (m/script_cve_id\(\"(.*)\"\)/) { $plugin_cve = $1; }
if (m/script_id\((.*)\)/) { $plugin_id = $1; }
if (m/script_bugtraq_id\((.*)\)/) { $plugin_bt = $1; }
}
close(PLUGIN);
if(!$plugin_id)
{
print STDERR "ERROR: NO ID FOUND: $plugin\n";
exit;
}
$map = "$plugin_id || $plugin ";
if($plugin_cve)
{
$map .= "|| cve,$plugin_cve ";
}
if($plugin_bt)
{
$map .= "|| bugtraq,$plugin_bt ";
}
---
