Re: Vulscan - NSE script for vulnerability detection based on version detection

[Jiayi Ye <yejiayily () gmail com>]

Hi,

I am not quite sure how often the vuln databases publish updates. As for
exploit-db, the csv file I downloaded yesterday is different from the file
I downloaded today. I agree that unifying the databases requires a lot of
manual work, but updating database separately also requires manual work
because the format of downloaded files differs and we need to change them
to match the format(<id>;<title>). Also, there is no unified way to
download all the different db files. So how to update the vuln db more
conveniently? Waiting for suggestions.

Regards,
Jiayi

On Thu, Jun 11, 2015 at 9:45 PM, Paulino Calderon Pale <
paulino () calderonpale com> wrote:

> Jiayi,
>
> I like the idea of not displaying the same alert from different databases.
> However, I don’t think the best approach is to unify the databases as it
> will required a lot of work to keep up to date as you mentioned. Do we know
> how often they publish these updates? Maybe we can do the matching using
> the vulnerability name instead. I know this will not be 100% reliable but
> it beats having to maintain a database that needs frequent updates.
>
> Ps. I forwarded your email to the list to include them in the discussion.
>
> Begin forwarded message:
>
> *From: *Jiayi Ye <yejiayily () gmail com>
> *Subject: **Re: Vulscan - NSE script for vulnerability detection based on
> version detection*
> *Date: *June 10, 2015 at 10:02:17 PM CDT
> *To: *Paulino Calderon Pale <paulino () calderonpale com>
>
> Hey, as Patricio Castagnaro mentioned in the mail, did he mean that if a
> vuln both in cve db and securityfoocus db, it's better to show one alert?
> Considering that we want to update the database and we want to show only
> one alert, could we maintain a vuln db which is extracted from other dbs?
> And we update our db periodly, users can update their db through a link to
> our db. But it seemed that it needs a amount of manual work to maintain our
> own vuln db. (The mail is the same with the message I sent you in Skype.)
>
> On Thu, Jun 11, 2015 at 6:21 AM, Paulino Calderon Pale <
> paulino () calderonpale com> wrote:
>
> > Hi list,
> >
> > Jiayi is working on improving/updating Marc Ruef’s vulscan script (
> > http://www.computec.ch/projekte/vulscan/?) to finally get it ready for
> > inclusion. For those unfamiliar with the script, it takes the results of
> > version detection and matches possible vulnerabilities existing in several
> > databases (cve, exploitdb, openvas, osvdb, securityfocus, securitytracker,
> > xforce, scipvuldb) that will be distributed separately. The script aims to
> > turn nmap into a vulnerability scanner that takes advantage of our powerful
> > version detection engine.
> >
> > Some time ago Marc even posted a second enhanced version of the script (
> > http://seclists.org/fulldisclosure/2013/Aug/166) but unfortunately it
> > seems it slipped by our attention. This week I asked Marc if he got any
> > feedback and he mentioned something about Fyodor recommending him to
> > include an ‘update databases’ function in the script but I wanted to see if
> > others had also different comments/issues. The script seems to work as
> > expected as it is. However, we have a couple of different ideas for
> > improvements like:
> > * The script can suggest the users to run other NSE scripts if the CVE id
> > matches (and we have a script for it)
> > * Reducing the number of false positives by not printing information if
> > version detection was not accurate enough.
> >
> > Does anyone remember if there was another reason why it didn’t get
> > included? Can you think of other improvements that can done?  We would love
> > to hear your ideas!
> >
> > Cheers.
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/