Nessus Attack Analysis Using Snort
By: spoonfork

--] 1.0 Introduction This article focuses on analysis of Nessus attacks using Snort.
In this article, I will present some of the common Nessus attack signatures. This
will hopefully help security analyst to detect attacks that are generated by the
Nessus security scanner.

--] 1.1 Nessus Security Scanner

Nessus was written by Renaud Deraison. Nessus provides to the Internet community
a free, powerful, up-to-date and easy to use remote security scanner. It is a plug-in
based software. The Nessus plugin families consists of scanners that checks for
backdoors, denial of service, CGI attacks, port scanners, and various other tests. So
far, there are about 500 plugins in Nessus.

Nessus is also built as a client-serve architecture. The Nessus client can run on
either Windows of Unix platform, whereas the server only runs on Unix platform.

Nessus is one the most popular vulnerability scanner around, and is preferred by
both security professionals and hackers.

--] 1.2 Snort

Snort is a lightweight network intrusion detection system developed by Marty
Roesch. Just like Nessus, it is free and Open Source. Snort is also a very powerful
signatures-based IDS. So far, it has over 1300 attack signatures. Besides
functioning as an NIDS, Snort can also be used to perform forensic analysis.

--] 2.0 The Setup

There are two machines used for the analysis, and both are set-up in an isolated
network. There are no other machines on the test network.

192.168.1.1 is the attacked server. It is a custom installation of RedHat 7.2 with
only a few services running:

[root@angel root]# cat sex69.txt

# nmap (V. 2.54BETA29) scan initiated Sat Apr 13 14:21:58 2002 as: nmap -sT -vv
-oN sex69.txt 192.168.1.1

Interesting ports on (192.168.1.1):

(The 1543 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
111/tcp open sunrpc
443/tcp open https
3306/tcp open mysql


# Nmap run completed at Sat Apr 13 14:21:58 2002 -- 1 IP address (1 host up)
scanned in 0 seconds

Apache and mysql were installed from source. I decided not to enable telnet and
FTP services. Snort 1.8.5 was installed from source in the test server. All of the
signatures are used by default.

192.168.1.2 is the Nessus server, also a RedHat 7.2 machine. Nessus 1.0.10 was
installed from source in this server. Nmap however, was not installed prior to the
test, so Nessus was portscanning using its own portscanning plugins. I decided not
to include Nmap into the Nessus installation because Nmap scans will generate a
lot of noise that is not of interest for this analysis. My objective is to focus on
Nessus attacks only.

For the testing, the default scan methods were chosen. All of the plugins are used.
There is no modification whatsoever. In fact, I also did not bother to look at
Nessus's IDS evasion techniques (hopefully this will be a subject for another paper).


--] 3.0 The Test

The test was fairly simple. On the test server, I started Snort and have it log the
alerts in ASCII to text files. On the Nessus server, I just fired up Nessus, chose the
default plugins and started scanning.

--] 4.0 The Results

I wrote two simple Pearl scriprs to analyze the Snort capture of Nessus attacks. The
scripts generate statistics of the Nessus vulnerabilty scanning.

--] 4.1 Nessus Attack Signatures

The following are the results of the Nessus attacks:

Summary
---------------------------------
Total alerts : 330
Signatures : 112
Unique Src IP : 2
Unique Dst IP : 2
Unique Src Port : 303
Unique Dst Port : 27
Protocol
TCP : 321 97.27%
ICMP : 1 0.30%
UDP : 8 2.42%
---------------------------------

There were 330 alerts detected by Snort, from a total of 112 attack signatures.
Even though I am attacking from a single machine, Snort detects two source
IPs, whhich belong to the test server and the Nessus server. The same goes for
destination IPs. 27 uniques source ports were probed/attacked, coming from
303 distinct source ports. A majority of the attacks were TCP-based.

The top 10 attack signatures are as follows:

Count Signatures
-------------------------------------------------------------------------------
83 WEB-MISC Cisco IOS HTTP configuration attempt
32 WEB-CGI scriptalias access
15 WEB-MISC /etc/passwd
15 BAD TRAFFIC tcp port 0 traffic
13 WEB-CGI formmail access
13 WEB-MISC http directory traversal
10 spp_stream4: STEALTH ACTIVITY (NULL scan) detection
9 WEB-MISC admin.php access
8 SCAN Proxy attempt
6 WEB-IIS scripts access

I am not sure why there were 83 detected attempts at WEB-MISC Cisco IOS
HTTP configuration attempts.

The top attacked ports are as follows:

Destination Port Attacks Signatures
----------------------------------------
80 278 95
137 10 1
0 9 4
8080 8 1
69 2 2
38286 1 1
38549 1 1
38574 1 1
22572 1 1
22573 1 1
22574 1 1
10080 1 1
22575 1 1
10081 1 1
22576 1 1
22577 1 1
38032 1 1
22578 1 1
3128 1 1
31337 1 1

Most of the attackst were to port 80 (HTTP), with 278 attacks coming from
95 attack signatures.

--] 4.2 Nessus Portscan Signatures

The portscan were analyzed from the portscan.log generated by Snort. The
results are as follows:

%tage Count Type
======================
98.43 251 SYN
0.39 1 FIN
0.39 1 VECNA
0.39 1 NULL
0.39 1 SYNFIN

Number of scans : 255
Number of unique source ports: 254
Number of unique destination ports: 116

There were a total of 255 portscans, directed at 116 ports, coming from 116
source ports.

The summary for destination ports are as follows:

Top destination ports
=======================
60 80
17 23
10 21
9 25
8 79
7 22
6 8080
6 8000
5 0
5 3306
3 53
3 119
3 110
2 264
2 1433
2 901
2 2301
2 256
2 1541
2 1521
2 8888
2 5631
2 139

--] 5.0 Conclusions

Nessus is an excellent vulnerability scanner. However, it cannot be used as
an attack tool because it generates a lot noise. Nessus attacks can be
easily detected (but not identified) by Snort.

--] 6.0 References and Scripts

[1] Snort, developed by Martin Roesch, http://www.snort.org

[2] Nessus, developed by Renaud Deraison, http://www.nessus.org

[3] alert_stat.pl, http://mel.ini2.net/snort_trace/alert_stat.pl

[4] scan_stat.pl, http://mel.ini2.net/snort_trace/scan_stat.pl

[5] Snort logs of Nessus attacks, http://mel.ini2.net/snort_trace/log-2.tar.gz