VulnerabilityCorrelation

From NSMWiki

Jump to: navigation, search

The thing that would take Sguil to the next level (IMHO) is in correlating events with target vulnerability/patch status. The beauty of Sguil for me is largely in how it streamlines the analyst's task, doing the dumb stuff like tracking pcap files so I can save brain cycles for actual analysis.

Well, the next round of dumb stuff the console could do for me is to give me a right-click option for source or destination that would tell me if a particular box had a patch for a given event.

For this to have a prayer of working, you'd have to have a patch/vulnerability database. The Nessus reports is a good start, but it can only address services, right? By FAR the majority of my events have to do with passive attacks - web browser exploits of various types.

You'd have to have reverse DNS working, or a hook to the DHCP database. DNS seems the right way to go.

You'd then have to check the signature references for patch info. In the Windows world, that's ms0n-nnn. You'd have to translate bulletin # to KB#

Then you'd have to be able to query the patch database. In the Windows world, WSUS stores patch data in an MS-SQL database. You could construct it other ways, such as Sysinternals psinfo, which gives a hard-to-parse output of hotfixes with the -h parameter.

The ultimate would be if Sguil could do the dns reverse lookup, check for a patch (matching the refrences to the rule that triggered the event to the patches associated), see if that patch has been applied, and autocat accordingly. The short term approach (still a big win) would be presenting a screen of all patching info for the correct host, and let the analyst look there.

Retrieved from "http://nsmwiki.org/VulnerabilityCorrelation"