RE: Snort and Nessus Signature

From: Derick Anderson (danderson_at_vikus.com)
Date: 09/16/05

  • Next message: dave.anon_at_gmail.com: "Tippingpoint"
    Date: Fri, 16 Sep 2005 12:54:11 -0400
    To: <focus-ids@securityfocus.com>
    
    

     

    > -----Original Message-----
    > From: cruxiezzzzz@yahoo.com [mailto:cruxiezzzzz@yahoo.com]
    > Sent: Friday, September 16, 2005 2:53 AM
    > To: focus-ids@securityfocus.com
    > Subject: Snort and Nessus Signature
    >
    > Hi All,
    >
    > I am doing some research into integrating Snort and Nessus together.
    > Just wondering if there are any Snort or Nessus Experts out
    > there that can tell me if there are using the same tables for
    > their signatures?
    > cause i understand that they both use the CVE and BID
    > tracking. Not to sure bout the way their signatures are
    > stored though. would be great if anyone out there can shed
    > some light on this.
    >
    > thanks alot
    >
    > Crux

    Snort sigs are all stored in text files and there's plenty of
    documentation on them. Many have BIDs and CVE numbers and some even have
    Nessus plugin IDs. However, there are some that have only Snort
    signature IDs or are generated by preprocessors. Those signatures are
    usually just generically bad packets.

    My suggestion (and I'm not a CISSP or anything, so it's just what I
    think, and if you already thought of this good for you):

    Find a way to store Snort rules and Nessus signatures in a database and
    use some program to generate your own flat-file Snort ruleset. Leave all
    Snort rules that don't have any of those IDs in the ruleset. Run Nessus
    and then whatever matches you get you can now correlate with Snort
    signatures. Add those to your ruleset and you'll have a fairly optimized
    set.

    I've occasionally considered doing something like this but have always
    lacked the time. I wouldn't do this if I were going to use Snort-Inline
    as an IPS, though. Since I[D|P]Ses are an "enumerating badness" game I'd
    want to block as much bad traffic as I could get away with. With an IDS,
    I want to know about recon activity and exploits that can actually hurt
    me.

    Derick Anderson

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: dave.anon_at_gmail.com: "Tippingpoint"

    Relevant Pages

    • Re: Value of "richer" signatures?
      ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
      (Focus-IDS)
    • RE: Testing IDS/IPS Signatures
      ... can a scanner be used to validate the IDS ... True, Nessus can help in testing signatures but IMHO, it has limitations. ... > service features in Nessus and NeWT to see what is in fact ...
      (Focus-IDS)
    • Re: IDS vs. IPS deployment feedback
      ... I personally do not care what people use to detect, even though I have been able to get snort to match performance of commercial products. ... The people we should be concerned with will not show up in an IDS however. ... signatures for the same vulnerability, ISS can protect against the ...
      (Focus-IDS)
    • RE: Belaboring the point of FPs (haha!)
      ... the QUALITY and INTEGRITY of the signatures being written. ... feel, protocol decoding, etc. in IDS tests being published. ... > I'm not saying that this is a BIG problem for Snort, ... > expressed in the Snort rules language. ...
      (Focus-IDS)
    • RE: IDS vs. IPS deployment feedback
      ... Juniper, CISCO, McAfee have open or semi-open signatures. ... Also, AFAIK, in ISS you can use Snort syntax or similar to create your ... why Snort is called lightweight IDS on SNORT.ORG page? ...
      (Focus-IDS)