|
|
This appendix provides some background on Cisco Secure Scanner rules and explains how to write your own vulnerability rules.
This appendix includes the following sections:
The Scanner uses rules to scan for vulnerabilities on the network.
This section includes the following topics:
The Scanner uses three types of rules to scan for vulnerabilities on the network:
When a session is launched, the Scanner runs the Service rules first to identify all services on the network. The OS rules are run next. The information gained by the service rules helps the Scanner to identify the operating systems on the network. The vulnerability rules are run last, because the Scanner uses the service and OS rules to help identify vulnerabilities on the network.
The Scanner tries to match as many vulnerability rules as possible from the entire list of rules. The user-defined rules are part of the vulnerability set of rules. User rules examine port or banner data that both TCP and UDP port scans collect. The port scan data can be supplemented by nudges, which are small pieces of program code that nudge a particular port or service into providing more information beyond the simple connection banner.
Cisco gives you the opportunity to write user-defined vulnerability rules for the Scanner. User-defined vulnerability rules offer the following:
Customers who have purchased the maintenance agreement can go to http://www.cisco.com/go/scanner to look for the rules updates. Follow the directions on the web site for downloading the new rules file.
Any rules that you have written between rules updates will not be overwritten when you download and install the latest vulnerability rules. Your user-defined rules are retained and processed after the Scanner runs the vulnerability rules set.
All user-defined rules are stored in the following directory:
./etc/rules/user.rules
The user.rules file contains the most current instructions for adding new rules. Because the Scanner rules are continuously being updated, the user.rules file will always contain embedded comments with the latest examples.
This section describes the master syntax and keywords used in user-defined vulnerability rules.
This section contains the following topics:
User rules consist of a left side and a right side, separated by the => ("implies") mark. Two syntax statements (scanfor, has port) can only be used on the left side of the rule. Another syntax statement (axis name) can be used on either side of the rule. The hypercube fact can only be used on the right side of the rule. The hypercube is the patent-pending multidimensional database that is the underlying force behind the Grid Browser.
The following master rules display the required syntax for both sides of a user rule:
 | Caution Make sure that you have no typos in your user rules and that the order of the elements fits the master syntax exactly. |
There are three severity levels in user-defined rules:
Severity 1---Applies to vulnerabilities that permit reconnaissance activities, but do not lead to unauthorized access.
Severity 2---Applies to vulnerabilities that permit some level of unauthorized data access or denial of service.
Severity 3---Applies to vulnerabilities that permit intruders to execute arbitrary commands on network servers.
You can define your own Vulnerability Type or use one of the following keywords in the <vulnerability type> field.
The following sample rules can be found in the user.rules text file in C:\Program Files\Cisco Systems\Cisco Secure Scanner\etc\rules\user.rules.
Here is an example of a scanfor rule:
To have your new rule show up in the report or in the NSDB, you must create HTML files for the rule. See the section "Creating a User Rule" for the procedure.
Use the following procedures to create a user-defined rule, to add it to the user-rules file so that the Scanner can scan for it, and to have it appear in reports and in the NSDB.
This section contains the following topics:
To create a user rule, follow these steps:
Step 1 Determine what kind of user rule you need.
For example, you can write a service, scanfor, port, or vulnerability rule.
Step 2 Write the rule in WordPad using the correct syntax (see "Master Rule Syntax" for more information):
Example: scanfor "UNIX" on port 23 => VUL:1:OS:UNIX:Vp:100006
Step 3 Copy the rule and paste it at the end of the user.rules file found in the following directory:
./etc/rules/user.rules
Step 4 Save the user.rules file.
The Scanner will now scan for your new rule.
 | Tips If you have any problems with getting your rule to show up in the proper places, go to the files that you have modified, and check the syntax and spelling of all the rules that you have written. |
You must create an HTML file so that your new rule will show up in your reports.
To have your user rule show up in reports, follow these steps:
Step 1 In WordPad, open the rep_vul_0.html template found in ./ReportComponents/Templates.
Step 2 Provide a description of your vulnerability by editing the following fields in the file:
Step 3 Save the file as rep_vul_<vulnerability ID number>.html:
Example: rep_vul_100006.html
Step 4 Copy the file into the following directory:
./ReportComponents/Templates
Step 5 Create a TEMPLATES rule in WordPad using the following syntax:
rep_vul_<vulnerability ID number>.html TEMPLATES VUL:<severity level>:<vulnerability type>:<vulnerability name>:Vp:<vulnerability ID number>
Example: rep_vul_100006.html TEMPLATES VUL:1:OS:UNIX:Vp:100006
Step 6 Copy the TEMPLATES rule and paste at the end of the user.rules file found in the following directory:
./etc/rules/user.rules
Step 7 Save the user.rules file.
Your new rule will now show up in the Scanner reports.
To have your rule show up as an NSDB entry that maps to your vulnerability and that will be linkable from the Grid Browser, you must create an HTML file.
To create an HTML file for your rule, follow these steps.
Step 1 Open the vul_0.html file found in the following directory:
./Cisco Secure Scanner/html
Step 2 Save the file as vul_<vulnerability ID number>.html:
Example: note_100006.html
Step 3 Provide a description of your vulnerability by editing the following fields in the file:
Step 4 Copy the file to the following directory:
./Cisco Secure Scanner/html
Step 5 Create a DOCUMENTS rule in WordPad using the following syntax:
vul_<vulnerability ID number>.html DOCUMENTS VUL:<severity level>:<vulnerability type>:vulnerability name:Vp:<vulnerability ID number>
Example: vul_100006.html DOCUMENTS VUL:1:OS:UNIX:Vp:100006
Step 6 Copy the DOCUMENTS rule (after the VUL rule) into the user.rules file found in the following directory:
./etc/rules/user.rules
Your new rule and description will now show up in the NSDB.
To make sure that your new rule shows up in all the correct places, follow these steps:
Step 1 Create and run a session.
See Chapter 6, "Creating Sessions" for the procedure for creating sessions.
Step 2 Create a grid of the data.
See Chapter 7, "Viewing Data Results" for more information on creating grids.
Step 3 Check to see that your rule appears as a vulnerability in the grid.
Step 4 Create a report of the data.
See Chapter 9, "Generating Reports" for more information on creating reports.
Step 5 View the report and check to see that your rule appears in the report.
Step 6 Drill down to the host level and click the link to the NSDB to make sure that your new user-defined rule appears in the NSDB.
See Chapter 10, "Network Security Database" for more information on using the NSDB.
 | Tips If you have any problems getting your rule to show up in the proper places, go to the files that you have modified, and check the syntax and spelling of all the rules that you have written. The syntax must be exact, that is, in the correct order and with no typos. |
Posted: Thu Jun 29 14:11:45 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.