We plan to add Snort with the firewall for our network to have improved security. The purpose, apart from protection from malicious traffic, is to customize Snort to detect and block specific traffic as per our needs. So basically i will be writing rules for Snort for our specific needs. But before beginning all that, i need to use a vulnerability scanner tool- to know the vulnerabilities which are not being detected presently by the Snort-firewall combo, and then i can start writing rules for Snort for those vulnerabilities. Given my situation, can i have suggestions for the right tool - I know but a few names like Nessus, Metaslpoit, OpenVAS, nmap....
Asked
Active
Viewed 3,285 times
2 Answers
1
Just download the Backtrack 5 distro (http://www.backtrack-linux.org/downloads/) as it's free and comes with Nmap, Nessus, Metasploit, Openvas and much more. IMHO, nmap is the best scanner but everyone has their own preference. Metasploit has some nice integration with nmap
Out of the box Snort will detect a lot of the default scans because the packets sent have a signature/form that's been out there for years and so is well-known.
Additionally, there's so much scanning these days on the net that people (rightly or wrongly) generally ignore such noise on the firewalls or ids/ips systems.
You'd be better going the extra step and seeing what you can detect or do post the scanning phase (assuming you have permission to launch further attacks/testing). A vulnerability scanner isn't going to necessarily tell you what attacks are possible, only what vulnerabilities it feels your systems have (and these may be false-positive).
Mark Hillick
- 2,124
- 11
- 14
-
thanks for the input. could you elaborate on you last paragraph- by going the 'extra step', do you mean that i should be writing my own exploits as well (say using Metasploit)? Kindly elaborate a little if you meant something else. – pnp May 18 '12 at 10:00
-
No I don't mean writing your own exploits yet, I meant when you find something that's vulnerable then test what can you do with it, i.e. can you exploit it! For example, you could have a web app (your own or something like DVWA or WebGoat) behind Snort (not sure if you've snort inline or as a span port) and start firing attacks at it (XSS, SQLi or CSRF).Or you could have a basic web-app with default MS-SQL install and a simple 'sa' password, trying to exploit it with something like fast-track.py (found in /pentest/exploits/fastrack on BT5). – Mark Hillick May 18 '12 at 10:23
0
I would not try to implement snort to detect scanners. You need to implement snort to detect attacks and probes against your assets. Without knowing what you plan to protect, you cannot write good rules. Detecting a scan for say tooltalk, when you don't even run it is only going to tell you, someone is running a poorly configured vuln scanner.
Marinus
- 206
- 1
- 4
-
ummm...does my question say that i want to use Snort to detect scanners...? I m very sorry for poor use of language. I have no intention of detecting scanners with Snort. And rather i plan to do exactly what you have written - write rules for snort to detect possible attacks. And the vulnerability scanner is needed just for the purpose of understanding what attacks are possible on our system (so rules can be added for them in Snort)or for launching attacks. I hope i could make myself more clear. – pnp May 18 '12 at 09:25