[Snort-users] snort and nessus

counter.spy at ...348... counter.spy at ...348...
Tue Mar 19 00:33:05 EST 2002


Hi Allen,
difficult question to answer. This will take a whole lot of work, I think.

I have done some testing with nessus on snort last week as part of
evaluation 
of snort for my diploma thesis.

My aim was to perform some chosen few scans rather than full scans.
The nessus attacks are not all similar, i.e. some of them have various 
dependencies, e.g. the SSH exploits in section "Gain a shell remotely"
depend 
on the results of the SSH version detection in section "General".
Whithout this information the SSH exploits don't even start.

Another issue is that snort sometimes detects the attempt, sometimes it
detects only the successful attempt, that depends on the rule and the rule
depends on the attack. 

Ergo, what you need to do is:
-activate only those nessus attacks that fit to your environment (i.e.
existent services)
-check for dependencies in nessus
-check for the appropriate snort rules and comment out those you don't need.
-check which snortrules detect the attempt and what rules detect only the
successful attempt.

In order to be able to detect other attacks, too, you should consider
setting up a dedicated sensor for this purpose.

So if you have checked your environment for vulnerabilities and set up a
dedicated
sensor with rules that fit to those vulnerabilities, you should be able to
detect only those attacks that were successful with your dedicated
snortsensor.

But you really should try to fix your security holes in the first place ;)

I hope that helps somehow.

Greetings,
D. Liesen

--------------------------original message------------------------------
> Hi,
> 
> Serious question this, very important.
> 
> I'd like to scan my machines for vulnerabilities with nessus and then 
> automatically make snort only report positive attacks for those particular
> 
> vulnerablities. In theory (and I'll take the chance) anything else is a
> false 
> positive. 
> 
> Has anyone done this, thought of doing this, tried this?
> 
> Or any other comments?
> 
> Allen Baranov
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list