Nessus Attack Analysis Using Snort

posted onApril 20, 2002
by hitbsecnews

By: spoonfork

--] 1.0 Introduction

This article focuses on analysis of Nessus attacks using Snort. In this
article, I will present some of the common Nessus attack signatures. This
will hopefully help security analyst to detect attacks that are generated
by the Nessus security scanner.

--] 1.1 Nessus Security Scanner

Nessus was written by Renaud Deraison. Nessus provides to the Internet
community a free, powerful, up-to-date and easy to use remote security scanner.
It is a plug-in based software. The Nessus plugin families consists of scanners
that checks for backdoors, denial of service, CGI attacks, port scanners,
and various other tests. So far, there are about 500 plugins in Nessus.

Nessus is also built as a client-serve architecture. The Nessus client can
run on either Windows of Unix platform, whereas the server only runs on Unix
platform.

Nessus is one the most popular vulnerability scanner around, and is preferred
by both security professionals and hackers.

--] 1.2 Snort

Snort is a lightweight network intrusion detection system developed by Marty
Roesch. Just like Nessus, it is free and Open Source. Snort is also a very
powerful signatures-based IDS. So far, it has over 1300 attack signatures.
Besides functioning as an NIDS, Snort can also be used to perform forensic
analysis.

--] 2.0 The Setup

There are two machines used for the analysis, and both are set-up in an
isolated network. There are no other machines on the test network.

192.168.1.1 is the attacked server. It is a custom installation of RedHat
7.2 with only a few services running:

[root@angel root]# cat sex69.txt

# nmap (V. 2.54BETA29) scan initiated Sat Apr 13 14:21:58 2002 as: nmap -sT -vv -oN sex69.txt 192.168.1.1

Interesting ports on (192.168.1.1):

(The 1543 ports scanned but not shown below are in state: closed)

Port State Service

22/tcp open ssh

80/tcp open http

111/tcp open sunrpc

443/tcp open https

3306/tcp open mysql

# Nmap run completed at Sat Apr 13 14:21:58 2002 -- 1 IP address (1 host up) scanned in 0 seconds

Apache and mysql were installed from source. I decided not to enable telnet and
FTP services. Snort 1.8.5 was installed from source in the test server. All of
the signatures are used by default.

192.168.1.2 is the Nessus server, also a RedHat 7.2 machine. Nessus 1.0.10 was
installed from source in this server. Nmap however, was not installed prior to
the test, so Nessus was portscanning using its own portscanning plugins. I
decided not to include Nmap into the Nessus installation because Nmap scans
will generate a lot of noise that is not of interest for this analysis. My
objective is to focus on Nessus attacks only.

For the testing, the default scan methods were chosen. All of the plugins are
used. There is no modification whatsoever. In fact, I also did not bother
to look at Nessus's IDS evasion techniques (hopefully this will be a subject
for another paper).

--] 3.0 The Test

The test was fairly simple. On the test server, I started Snort and have it
log the alerts in ASCII to text files. On the Nessus server, I just fired up
Nessus, chose the default plugins and started scanning.

--] 4.0 The Results

I wrote two simple Pearl scriprs to analyze the Snort capture of Nessus
attacks. The scripts generate statistics of the Nessus vulnerabilty scanning.

--] 4.1 Nessus Attack Signatures

The following are the results of the Nessus attacks:

Summary

---------------------------------

Total alerts : 330

Signatures : 112

Unique Src IP : 2

Unique Dst IP : 2

Unique Src Port : 303

Unique Dst Port : 27

Protocol

TCP : 321 97.27%

ICMP : 1 0.30%

UDP : 8 2.42%

---------------------------------

There were 330 alerts detected by Snort, from a total of 112 attack signatures.

Even though I am attacking from a single machine, Snort detects two source

IPs, whhich belong to the test server and the Nessus server. The same goes for

destination IPs. 27 uniques source ports were probed/attacked, coming from

303 distinct source ports. A majority of the attacks were TCP-based.

The top 10 attack signatures are as follows:

Count Signatures

-------------------------------------------------------------------------------

83 WEB-MISC Cisco IOS HTTP configuration attempt

32 WEB-CGI scriptalias access

15 WEB-MISC /etc/passwd

15 BAD TRAFFIC tcp port 0 traffic

13 WEB-CGI formmail access

13 WEB-MISC http directory traversal

10 spp_stream4: STEALTH ACTIVITY (NULL scan) detection

9 WEB-MISC admin.php access

8 SCAN Proxy attempt

6 WEB-IIS scripts access

I am not sure why there were 83 detected attempts at WEB-MISC Cisco IOS

HTTP configuration attempts.

The top attacked ports are as follows:

Destination Port Attacks Signatures

----------------------------------------

80 278 95

137 10 1

0 9 4

8080 8 1

69 2 2

38286 1 1

38549 1 1

38574 1 1

22572 1 1

22573 1 1

22574 1 1

10080 1 1

22575 1 1

10081 1 1

22576 1 1

22577 1 1

38032 1 1

22578 1 1

3128 1 1

31337 1 1

Most of the attackst were to port 80 (HTTP), with 278 attacks coming from

95 attack signatures.

--] 4.2 Nessus Portscan Signatures

The portscan were analyzed from the portscan.log generated by Snort. The

results are as follows:

%tage Count Type

======================

98.43 251 SYN

0.39 1 FIN

0.39 1 VECNA

0.39 1 NULL

0.39 1 SYNFIN

Number of scans : 255

Number of unique source ports: 254

Number of unique destination ports: 116

There were a total of 255 portscans, directed at 116 ports, coming from 116

source ports.

The summary for destination ports are as follows:

Top destination ports

=======================

60 80

17 23

10 21

9 25

8 79

7 22

6 8080

6 8000

5 0

5 3306

3 53

3 119

3 110

2 264

2 1433

2 901

2 2301

2 256

2 1541

2 1521

2 8888

2 5631

2 139

--] 5.0 Conclusions

Nessus is an excellent vulnerability scanner. However, it cannot be used as

an attack tool because it generates a lot noise. Nessus attacks can be

easily detected (but not identified) by Snort.

--] 6.0 References and Scripts

[1] Snort, developed by Martin Roesch,
">http://www.snort.org

[2] Nessus, developed by Renaud Deraison,
">http://www.nessus.org

[3] alert_stat.pl,
">http://mel.ini2.net/snort_trace/alert_stat.pl

[4] scan_stat.pl,
">http://mel.ini2.net/snort_trace/scan_stat.pl

[5] Snort logs of Nessus attacks,
">http://mel.ini2.net/snort_trace/log-2.tar.gz

1.) Password Selection - netcrash
2.) Interview with Hats [proxy elites] - The Hacktivist
3.) Nessus Attack Analysis Using Snort - spoonfork
4.) Browsing Websites at your own risk - Obscure
5.) Security Trends - What they forgot to secure - Obscure
6.) Game Review: The Sims Vacation Expansion Pack - sQ

Source

Tags

Articles

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes