I ran into the same issue when putting together the common directory and compromised IIS server plugins. Much of the data was actually pulled from the log files of systems scanned with a variety of tools. These logs were either test systems that I constantly scan when doing tool evaluations, or web servers who were sharing their logs with the world (google!).
Is it ethical to use web server logs to build an assessment tool? I think so, as long as you aren't tearing the tool apart to pull its sigs. Sure, people are going to stick honeypot sigs into it to see if you are using their data, but anything sitting in a publicly accessible log file is fair game IMO. Maybe my perspective is skewed, anyone else have a take on this? -HD On Tuesday 10 June 2003 01:07 pm, Ron Gula wrote: > This is a very difficult question. For some people, they call this > 'research'. When I did the Dragon IDS, I had no problem looking at a > competitor's web site and seeing which checks they did to make sure we > had those covered as well. What I did not like is seeing my checks > copied verbatim into other vendor's and open_source tools, including > the spelling mistakes and errors in the signatures. > > If you take N-Stealth's list directly, I would think this would > constitute reverse engineering, especially if one of their directory > checks is not really real and designed to be a 'honeypot' check so to > speak. Consider some rule that checks for '/bo2k_test/cgi-bin/' in > their list. How do you know that really is a check that is for a > vulnerability they know about? > > Ron Gula > Tenable Network Security > > At 01:42 PM 6/10/2003 -0700, John Lampe wrote: > >I downloaded N-stealth, and ran it against one of my apache > > servers...I then parsed out my logs to see what it was looking for... > > > >It does a bunch of extra unicode checks and it checks for a *crapload* > > of default directories... > > > >Maybe someone can help me...is there anything wrong with me going > > through my log files, finding deltas (between Nessus and N-stealth), > > and adding these to Nessus???? > > > >John W. Lampe > >https://f00dikator.aceryder.com/ > > > > > >----- Original Message ----- > > From: "~Kevin Davis�" <[EMAIL PROTECTED]> > > >To: <[EMAIL PROTECTED]> > >Sent: Monday, June 09, 2003 7:54 PM > >Subject: Re: N-Stealth vs. Nessus > > > > > To further that thought, ISS Internet Scanner (6.21/7.0) only > > > covers slightly over 1,200 vulnerabilities. And several of those > > > are very old vulns. There is a big difference between having a > > > database of vulns and properly scanning and identifying them and > > > them being relatively > > > >pertinent. > > > > > ~Kevin Davis� > > > > > > What possibly could go wrong? > > > ----- Original Message ----- > > > From: "Renaud Deraison" <[EMAIL PROTECTED]> > > > To: "Luman" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > Sent: Monday, June 09, 2003 9:31 PM > > > Subject: Re: N-Stealth vs. Nessus > > > > > > > For the record, securityfocus's vuln database > > > > contains less than 8,000 entries at this time (including non-web > > > > and local vulnerabilities), and I think ISS's XF database > > > > contains ~ 12,000 entries (and again, this includes local and > > > > non-web vulnerabilities). > > > >--- > >Outgoing mail is certified Virus Free. > >Checked by AVG anti-virus system (http://www.grisoft.com). > >Version: 6.0.488 / Virus Database: 287 - Release Date: 6/9/2003
