OpenVAS Change Request #23: OpenVAS-libnasl: Standardize Script Families for NVT
Votes: +7. Done.
Purpose
To establish standard script families (script_family) usage for the OpenVAS NVTs.
References
Rationale
Script family helps to categorize the NVTs according to the nature of vulnerability the NVT is describing. Also in certain cases, NVTs are grouped based on the Operating System and the type of check it is performing.
As of now, there is no set standard in place for NVT developers to decide upon families for the NVTs. There is no pre-decided set of family names documented for each different type of vulnerability. Also there's no restriction on the string format. This leads to adhoc categorization of NVTs
This change request proposes to document the family names for each type of vulnerability so that NVT developers can easily map the NVTs to an element in a pre-defined set as in the following,
Families = [
'Backdoors',
'Brute force attacks',
'CGI abuses',
'CGI abuses : XSS',
'CISCO',
'Default Unix Accounts',
'Denial of Service',
]
Effects
This would allow NVT developers to refer to the defined set of families and add new family as and when required.
Design and Implementation
Currently used families
Families = [
'Backdoors',
'Brute force attacks',
'CGI abuses',
'CGI abuses : XSS',
'CISCO',
'Default Unix Accounts',
'Denial of Service',
'Finger abuses',
'Firewalls',
'FTP',
'Gain a shell remotely',
'Gain root remotely',
'General',
'Netware',
'Peer-To-Peer File Sharing',
'Port scanners',
'Remote file access',
'RPC',
'Service detection',
'Settings',
'SMTP problems',
'SNMP',
'Useless services',
'Windows : Microsoft Bulletins',
'Windows',
'AIX Local Security Checks',
'Debian Local Security Checks',
'FreeBSD Local Security Checks',
'Gentoo Local Security Checks',
'MacOS X Local Security Checks',
'Red Hat Local Security Checks',
'Solaris Local Security Checks',
'SuSE Local Security Checks'
'Mandrake Local Security Checks'
'Misc.',
'Web Servers,
'Local test',
'Credentials',
'Windows SMB'
'Abus de CGI'
'SLAD'
'Divers'
'Databases'
'D\xe9ni de service'
]
Changes
-
The following families are being used by some NVTs, which have to be moved to a suitable family.
['Local test', 'Local test SuSE/FC/Gent./Ubuntu', 'Windows SMB' 'Abus de CGI' 'Divers' 'D\xe9ni de service' ]
-
The use of 'CGI abuses' and 'CGI abuses : XSS' is not clearly understood and they are being used interchangebly. The keyword 'CGI abuses' doesn't categorize all the web application related security vulnerabilities.
A broader category like 'Web application abuses' would cover XSS, CSRF, SQL Injection, File Inclusion, Directory traversal, Cookie poisoning and Input Validation vulnerabilities.
-
The family 'Misc.' has to be removed and the respective NVTs have to be moved to an appopriate family that helps categorize the vulnerability. 'Misc.' is too broad a category and misleading. The category 'General' can be used for such purposes where NVT cannot be grouped to an existing family.
-
Additions required,
1. Buffer overflow 2. Privilege escalation 3. Malware: to describe virus/worms/trojans
The New List of Families
Families: - 'Brute force attacks' NVT is attempting to discover vulnerabilities that are suceptible to brute force methods are categorized into this family. The detection mechanism is not limited to attempting brute force methods within itself. If an NVT is trying brute force methods to gain access on the target system, ACT_ATTACK must be used in script_category(). - 'Web application abuses' The vulnerability in question helps to conduct web based attacks such as Cross Site Scripting, Cross Site Request Forgery, SQL Injection, File Inclusion, Cookie Poisoning. - 'CISCO' NVTs discvering all vulnerabilities related to Cisco devices, IOS, Applications and management consoles are categorized into this family. - 'Default Accounts' NVT is attempting to identify the default and dangerous user accounts on the target system. - 'Denial of Service' When the NVT is describing any vulnerability that can be exploited to crash or deny the service to legitimate users. Note that by categorizing the NVT to this family, it doesn't inherently indicate that NVT itself is attempting to crash or deny the service. Use ACT_DENIAL or ACT_KILL in script_category() for such purposes. - 'Finger abuses' Vulnerabilities related to 'finger' service. - 'Firewalls' NVT is attempting to scan a firewall. Any vulnerability related to firewalls can be categorized here, including any other traffic analyzers or malware blockers. - 'FTP' All vulnerabilities related to FTP servers or clients. - 'Gain a shell remotely' In case a vulnerability lets the attacker gain the shell remotely for reasons other than buffer overflow. - 'Netware' All vulnerabilities related to Novell NetWare and related services. - 'Peer-To-Peer File Sharing' All vulnerabilities in P2P applications, services, protocol violations, and any other network compromises due to P2P service. - 'Port scanners' NVT is a port scanner. - 'Remote file access' Vulnerability lets attackers have access to the remote file system. - 'RPC' NVT is describing a vulnerability that can be exploited through an RPC service. - 'Service detection' NVT is attempting to discover remote or local service, application, server, device etc., - 'Settings' NVTs that set user preferences through script_add_preference() function. - 'SMTP problems' Detecting vulnerabilities related to mail servers. - 'SNMP' All SNMP related vulnerabilities. - 'Useless services' NVT is identifying services that may not be required to run on the target system. - 'Windows : Microsoft Bulletins' NVTs detecting the patch status of Windows systems based on the security bulletins released by Microsoft. - 'Windows' NVTs detecting the vulnerabilities in all Windows Operating System including other Microsoft products are categorized into this family. - 'AIX Local Security Checks' Local Security checks developed for IBM AIX based on the security advisories released for a package update. - 'Debian Local Security Checks' Local Security checks developed for Debian Linux based on the security advisories released for a package update. A local security check uses SSH as long means to the target system and verifies package update. - 'FreeBSD Local Security Checks' Local Security checks developed for FreeBSD based on the security advisories released for a package update. - 'Gentoo Local Security Checks' Local Security checks developed for Gentoo Linux based on the security advisories released for a package update. - 'Mac OS X Local Security Checks' Local Security checks developed for Apple Mac OS X based on the security advisories released for a package update. - 'Red Hat Local Security Checks' Local Security checks developed for RedHat Linux based on the security advisories released for a package update. - 'Solaris Local Security Checks' Local Security checks developed for SUN Solaris based on the security advisories released for a package update. - 'SuSE Local Security Checks' Local Security checks developed for SuSE Linux based on the security advisories released for a package update. - 'Fedora Local Security Checks' Local Security checks developed for Fedora Linux based on the security advisories released for a package update. - 'CentOS Local Security Checks' Local Security checks developed for CentOS Linux based on the security advisories released for a package update. - 'Ubuntu Local Security Checks' Local Security checks developed for Ubuntu Linux based on the security advisories released for a package update. - 'Mandrake Local Security Checks' Local Security checks developed for Mandrake Linux based on the security advisories released for a package update. - 'HP-UX Local Security Checks' Local Security checks developed for HP-UX based on the security advisories released for a package update. - 'Compliance' Checks related to various compliance frameworks. - 'Web Servers' NVTs detecting vulnerabilities in any web server or application server. - 'Buffer overflow' A vulnerability is a buffer overflow that lets the attacker execute arbitrary code on the remote system and possibly also gain system shell or cause denial of service. - 'Privilege escalation' An attacker is able to improvize the access level to gain unauthorized access to services, applications. - 'Credentials' NVTs that set credentials such as SMB, SSH using script_add_preference(). - 'Malware' NVT is attemping to detect a virus, worm, or trojan including backdoors. - 'Databases' All NVTs discovering Database related vulnerabilities - 'General' NVTs that cannot be categorized into any of the above families are grouped into General.
Conventions
- Note that the family names are case-sensitive.
- Any addition to the above list will have to go through Change Request process.
- Once voted, the family names will be documented in the OpenVAS Compendium so that it acts as reference for NVT developers.
TO DO's
- CWE is a standard way to identify Software Weakness Types which is being developed by the community to serve as a standard measuring stick for software security tools targeting these weaknesses. Once we have better understanding of CWE and learn about means to map the CWE to NVTs, this standard will be proposed for adoption for OpenVAS NVT.
- A tool will be built to verify the semantics of the family which will report any errors or deviations in the family names.
History
- 2008-11-28 Chandrashekhar B <bchandra@secpod.com>:
Initial text. -
2008-12-07 Chandrashekhar B <bchandra@secpod.com>:
Updated based on the feedback recieved on the list. -
2008-12-15 Chandrashekhar B <bchandra@secpod.com>:
- Incorporated feedback from Jan-Oliver and Stjepan -
2009-04-02 Chandrashekhar B <bchandra@secpod.com>:
- Updated with newly used families and their description - Also updated description for "Service detection" to mean all detection NASL's -
2009-12-10 Michael Wiegand <michael.wiegand@intevation.de>:
- Removed 'GSHB' family, added 'Compliance' family -
2010-01-06 Felix Wolfsteller <felix.wolfsteller@intevation.de>:
- Updated status as done. -
2010-04-07 Goran Licina <goran.licina@lss.hr>:
- Fixed family name 'MacOS X Local Security Checks' to 'Mac OS X Local Security Checks'.