Correlation between Snort and Nessus and easy supervision with Prelude
This small page intend to present mechanisms used to create a running and interesting solution on a Linux platform.
A conference has been made at Solutions Linux 2006 on this theme
Overview
We wanted to create an IPS (Intrusion Prevention Solution) solution able to protect assets by detecting vulnerabilities on the network and stopping threats when it matches this vulnerability. Nevertheless, one knows production environment are often reluctant in dropping business traffic. That's why we used a second level, a monitoring level used to warn IT team when a threat signature is being observed in accepted businness packets.
Download
Configuration files package (tar.gz) : snort_nessus.tar.gz
Movie detailing the main project usage : ips.avi
Presentation file for Linux Solutions 2006 in Paris : Solution Linux 2006 Correlation et IPS.pdf
Used components
snort- inline , oinkmaster , crafted shell scripts
nessus , crafted shell scripts
prelude , prelude-lml , prewikka , crafted shell scripts
iptables
Graphes
Technical details
Some files used have to be explained :
-
Snort config[ download ] : this file precise needed snort variables. It uses the stream4_inline preproc to drop bad sessions. It also uses the alert_prelude output to send IDMEF alerts to prelude-manager
-
Automated IPS rules changes. 4 files have been written for this step.
drop-high-rules [download], a simple perl script which aims at traducing snort severities (one or several) rules into drop rules.
nessus-snort [download], a perl script which import nessus report in order to create a specially crafted small vulnerabilty report used at least by third snort-rules, this report can be used locally or sent to a remote machine whether scanner is not the IPS.
snort-rules [download] is a perl script which will use vulnerability found in the vulnerability report to parse snort rules, trying to find same vulnerabilty identifier (based on CVE, CAN, bugtraq and nessus).
tune-rules [download ] , a batch script used to launch other scripts -
Correlation is also made via a bundle of several scripts.
vuln.conf [download], a simple file where you place your db credentials and other system parameters .
prelude-lml.conf [download], the configuration file for lml where we have to define the log file in where we write if an alert is matching a vulnerability.
alex.rules [download], this is the configuration file for the log format where we define the corresponding idmef fields
Nessus2Prelude_mysqlschema.sql [download ], a simple sql file which aims at purging/creating the Prelude_CorrelationVulnerability table
nessus2PreludeCorrelation.pl [download] : This tool can import reports of vulnerabilities audits made by other tools. Those reports will then be integrated in the database used by a prelude-manager to record security alerts. Owing to this import, frontends for Prelude-IDS will be able to add correlation about vulnerability found before.
nessusAlertEnforcer [download ], This tool can find correlation between the alerts recorded in your database, and the vulnerability reports that have been imported before in this database owing to the other associated tool. Those vulnerability reports must have been created owing to assessment tools (audits).
The two last files were inspired from an initial Laurent Oudot work. -
iptable rule file [download] can give you an idea for a working solution. This file will entirely depends on your access control security policy. You'll see that many rules will receive the QUEUE action, sending them directly in userland where snort-inline will use them.
-
crontab [download], this is just an example file for what we have used for this proof of concept