RE: Snort and Nessus Signature

From: Derick Anderson (danderson_at_vikus.com)
Date: 09/16/05

  • Next message: dave.anon_at_gmail.com: "Tippingpoint"
    Date: Fri, 16 Sep 2005 12:54:11 -0400
    To: <focus-ids@securityfocus.com>
    
    

     

    > -----Original Message-----
    > From: cruxiezzzzz@yahoo.com [mailto:cruxiezzzzz@yahoo.com]
    > Sent: Friday, September 16, 2005 2:53 AM
    > To: focus-ids@securityfocus.com
    > Subject: Snort and Nessus Signature
    >
    > Hi All,
    >
    > I am doing some research into integrating Snort and Nessus together.
    > Just wondering if there are any Snort or Nessus Experts out
    > there that can tell me if there are using the same tables for
    > their signatures?
    > cause i understand that they both use the CVE and BID
    > tracking. Not to sure bout the way their signatures are
    > stored though. would be great if anyone out there can shed
    > some light on this.
    >
    > thanks alot
    >
    > Crux

    Snort sigs are all stored in text files and there's plenty of
    documentation on them. Many have BIDs and CVE numbers and some even have
    Nessus plugin IDs. However, there are some that have only Snort
    signature IDs or are generated by preprocessors. Those signatures are
    usually just generically bad packets.

    My suggestion (and I'm not a CISSP or anything, so it's just what I
    think, and if you already thought of this good for you):

    Find a way to store Snort rules and Nessus signatures in a database and
    use some program to generate your own flat-file Snort ruleset. Leave all
    Snort rules that don't have any of those IDs in the ruleset. Run Nessus
    and then whatever matches you get you can now correlate with Snort
    signatures. Add those to your ruleset and you'll have a fairly optimized
    set.

    I've occasionally considered doing something like this but have always
    lacked the time. I wouldn't do this if I were going to use Snort-Inline
    as an IPS, though. Since I[D|P]Ses are an "enumerating badness" game I'd
    want to block as much bad traffic as I could get away with. With an IDS,
    I want to know about recon activity and exploits that can actually hurt
    me.

    Derick Anderson

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: dave.anon_at_gmail.com: "Tippingpoint"