科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道一个评价入侵检测系统漏洞攻击检测覆盖面的指标

一个评价入侵检测系统漏洞攻击检测覆盖面的指标

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

其实,CVSS漏洞威胁评分系统的设计考虑了威胁评分随时间及布署状况的修正,一个漏洞的CVSS威胁评分涉及三个层次:基本评分、生命周期因素修正、环境因素修正。

作者:51cto 2007年10月20日

关键字:

  • 评论
  • 分享微博
  • 分享邮件

在本页阅读全文(共3页)

2.3 计算漏洞覆盖面的评分指标
有了CVE名到相应CVSS评分的对应表和产品涉及到的CVE名,使用 caculate-score.pl 脚本即可得到评分。
上述几个产品的分析结果比较:
CVE条目数 总威胁得分 CVE条目平均CVSS评分 时间因素修正后的总威胁得分
RealSecure 7    979       6000.7     6.1                 2694.3
Snort           550       3454.3     6.3                 1476.9
IDP             311       1947.3     6.3                 796.6


由以上的数据,产品相关漏洞覆盖面的高下就很明显了。
3. 结论
事实上,由于威胁得分的计算是面向漏洞的,因此所有以漏洞处理为核心的安全产品比如漏洞数据库、安全评估、入侵检测类产品都,可以用计算“时间因素修正后的总威胁得分”指标的方法来评价。
附,评分计算相关的脚本工具:

extract-cve-score.pl
--------------------------------- 8< --------------------------------------
#!/usr/bin/perl
my $data = "";
my @cve_names = ("");
my @cve_scores = ("");
my $cve_name = "";
$data = readDBcontent($ARGV[0]);
$data =~ s/<entry /\n<entry /gi;
@cve_names = $data =~ m|<entry type="CVE" name="(CVE-\d\d\d\d-\d\d\d\d)" seq="\d\d\d\d-\d\d\d\d" published="\d\d\d\d-\d\d-\d\d" modified="\d\d\d\d-\d\d-\d\d" severity=".+" CVSS_score="\d{1,2}\.\d" |g;
@cve_scores = $data =~ m|<entry type="CVE" name="CVE-\d\d\d\d-\d\d\d\d" seq="\d\d\d\d-\d\d\d\d" published="\d\d\d\d-\d\d-\d\d" modified="\d\d\d\d-\d\d-\d\d" severity=".+" CVSS_score="(\d{1,2}\.\d)" |g;
for (my $i=0;$i<=$#cve_names;$i++) {
print $cve_names[$i]."\t".$cve_scores[$i]."\n";
}
sub readDBcontent {
my ($table) = @_;
my $dbcon = "";
open(TBL,"<$table")||die($table);
while (<TBL>) {
$dbcon .= $_ ;
}
close(TBL);
return ($dbcon);
}
--------------------------------- 8< --------------------------------------
extract-snort-cve.pl
--------------------------------- 8< --------------------------------------
#!/usr/bin/perl
#
my @issues = ("");
readDBcontent($ARGV[0],\@issues);
for (my $i=0;$i<@issues;$i++) {
my $issuetext = $issues[$i];
if ($issuetext =~ m/\|\| cve,(\d{4}-\d{4}) /) {
print "CVE-".$1."\n";
}
}
sub readDBcontent {
my ($table,$dbcon)=@_;
my $count=0;
open(TBL,"<$table")||die($table);
@{$dbcon}=<TBL>;
close(TBL);
for(my $i=0;$i<@{$dbcon};$i++) {
chomp(${$dbcon}[$i]);
if(${$dbcon}[$i] ne "") { $count++; }
}
return ($count);
}
--------------------------------- 8< --------------------------------------
get-iss-content.pl
--------------------------------- 8< --------------------------------------
#!/usr/bin/perl
#
my $flag = 0;
my $program = "lynx -source ";
my $url_b = "http://xforce.iss.net/xforce/xfdb/";
my @issues = ("");
$|++;
readDBcontent($ARGV[0],\@issues);
for (my $i=0;$i<@issues;$i++) {
my $issuetext = $issues[$i];
my ($aa,$bb,$cc,$vul_id) = split (',',$issuetext);
if ($vul_id =~ m/^\d+/) {
my $iss_vuln = "$vul_id.txt";
# print $iss_vuln."\n";
if (!(-e $iss_vuln) || (-z $iss_vuln)) {
my $content = "";
$url = $url_b."${vul_id}";
$content = getSection();
open (DATAFILE,">$iss_vuln") or die ("$iss_vuln\n");
print DATAFILE $content;
close (DATAFILE);
}
}
}
sub getSection {
my @page;
my $section_con = "";
my $last = 0;
getPage("$url",\@page);
$section=uc("$section");
for ($i=0;$i<@page;$i++) {
if ($page[$i] =~ m/^<p>The information within this database may change without notice/) {$flag = 0};
if ($flag) {
$page[$i] = removeHtmltag ("$page[$i]");
if($page[$i] eq "") {
if(!$last) { $section_con .= "\n"; $last = 1;}
} else {
$section_con .= "$page[$i]\n";
$last = 0;
}
}
if ($page[$i] =~ m/X-Force Database Results/) {$flag = 1};
}

return $section_con;
}
sub getPage {
my ($url_section,$page_con) = @_;
open (EXECFILE, "$program '$url_section' |");
@{$page_con} = <EXECFILE>;
close (EXECFILE);
}
sub removeHtmltag {
my ($string)=@_;
$string =~ s/\t//g;
$string =~ s/\n//g;
$string =~ s/&nbsp;/ /g;
$string =~ s/&QUOT;/"/g;
$string =~ s/<br><br>/\n/g;
$string =~ s/<br>/\n/g;
$string =~ s/<BR>/\n/g;
$string =~ s/<p>/\n/g;
$string =~ s/<P>/\n/g;
$string =~ s/<\/P>/\n/g;
$string =~ s/<\/p>/\n/g;
$string =~ s/<li>/---/g;
$string =~ s/<LI>/---/g;
$string =~ s/&mdash;/-/g;
$string =~ s/<\/OPTION>/\n/g;
$string =~ s/<[^<]*>//g;
$string =~ s/&lt;/</g;
$string =~ s/&gt;/>/g;
$string =~ s/&amp;/&/g;
$string =~ s/&quot;/"/g;
$string =~ s/\015//g;
$string =~ s/^\s*\n*//;
#    $string =~ s/\s*\n*$//;
return $string;
}    
sub readDBcontent {
my ($table,$dbcon)=@_;
my $count=0;
open(TBL,"<$table")||die($table);
@{$dbcon}=<TBL>;
close(TBL);
for(my $i=0;$i<@{$dbcon};$i++) {
chomp(${$dbcon}[$i]);
if(${$dbcon}[$i] ne "") { $count++; }
}
return ($count);
}
--------------------------------- 8< --------------------------------------
extract-iss-cve.pl
--------------------------------- 8< --------------------------------------
#!/usr/bin/perl
#
my @issues = ("");
readDBcontent($ARGV[0],\@issues);
for (my $i=0;$i<@issues;$i++) {
my $issuetext = $issues[$i];
my ($aa,$bb,$cc,$vul_id) = split (',',$issuetext);
if ($vul_id =~ m/^\d+/) {
my $iss_vuln = "$vul_id.txt";
if ((-e $iss_vuln) && !(-z $iss_vuln)) {
my @contents = ("");
readDBcontent($iss_vuln,\@contents);
for (my $j=0;$j<@contents;$j++) {
if ($contents[$j] =~ m/^---(CVE-\d{4}-\d{4})/) {
print $1."\n";
}
}
}
}
}
sub readDBcontent {
my ($table,$dbcon)=@_;
my $count=0;
open(TBL,"<$table")||die($table);
@{$dbcon}=<TBL>;
close(TBL);
for(my $i=0;$i<@{$dbcon};$i++) {
chomp(${$dbcon}[$i]);
if(${$dbcon}[$i] ne "") { $count++; }
}
return ($count);
}
--------------------------------- 8< --------------------------------------
extract-idp-cve.pl
--------------------------------- 8< --------------------------------------
#!/usr/bin/perl
#
my @issues = ("");
readDBcontent($ARGV[0],\@issues);
for (my $i=0;$i<@issues;$i++) {
my $issuetext = $issues[$i];
if ($issuetext =~ m/:cve \((CVE-\d{4}-\d{4})\)/) {
print $1."\n";
}
}
sub readDBcontent {
my ($table,$dbcon)=@_;
my $count=0;
open(TBL,"<$table")||die($table);
@{$dbcon}=<TBL>;
close(TBL);
for(my $i=0;$i<@{$dbcon};$i++) {
chomp(${$dbcon}[$i]);
if(${$dbcon}[$i] ne "") { $count++; }
}
return ($count);
}
--------------------------------- 8< --------------------------------------
caculate-score.pl
--------------------------------- 8< --------------------------------------
#!/usr/bin/perl
if(scalar(@ARGV) < 2){
print "Usage: $0 CVES-LIST-FILE CVE-SCORE-PAIR-LIST-FILE\n";
exit 1;
}
my %cve_name_score = ();
my @score_data = ("");
readDBcontent($ARGV[1],\@score_data);
my $cur_name = "";
my $cur_score = 0.0;
foreach (@score_data) {
$_ =~ m/(.+)\t(.+)/;
$cur_name = $1;
$cur_score = $2;
$cve_name_score{$cur_name} = $cur_score;
}
my @cves = ("");
readDBcontent($ARGV[0],\@cves);
my $score = 0.0;
my $score1 = 0.0;
my $cve_count = 0;
my $year = 0;
my $score_modified = 0;
foreach (@cves) {
if ($_ ne "") {
if (defined($cve_name_score{$_})) {
$score += $cve_name_score{$_};
$cve_count++;
$_ =~ m/(\d\d\d\d)-\d\d\d\d/;
$year = $1;
$score_modified = $cve_name_score{$_} * ((8-(2006-$year))/8);
$score1 += $score_modified;
}
}
}
my $average = $score/$cve_count;
printf "%d\t%.1f\t%.1f\t%.1f", $cve_count,$score,$average,$score1;
sub readDBcontent {
my ($table,$dbcon)= @_;
my $count= 0;
open(TBL,"<$table")||die($table);
@{$dbcon}=<TBL>;
close(TBL);
for(my $i=0;$i<@{$dbcon};$i++) {
chomp(${$dbcon}[$i]);
if(${$dbcon}[$i] ne "") { $count++; }
}
return ($count);
}
--------------------------------- 8< --------------------------------------

资源链接:
通用弱点评价体系(CVSS)简介
http://www.xfocus.net/releases/200602/a850.html
NVD/CVE XML Data Files
http://nvd.nist.gov/download.cfm
CVSS Draft
http://www.first.org/cvss/draft/
RealSecure Network Sensor XPUs
http://www.iss.net/db_data/xpu/RSNS.php
Snort Rules
http://www.snort.org/rules/
IDP Rule
https://services.netscreen.com/idpupdates/updateInfo.dat
    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章