English | Deutsch
Home »

OpenVAS Change Request #23: OpenVAS-libnasl: Standardize Script Families for NVT

Votes: +7. Done.

Purpose

To establish standard script families (script_family) usage for the OpenVAS NVTs.

References

Rationale

Script family helps to categorize the NVTs according to the nature of vulnerability the NVT is describing. Also in certain cases, NVTs are grouped based on the Operating System and the type of check it is performing.

As of now, there is no set standard in place for NVT developers to decide upon families for the NVTs. There is no pre-decided set of family names documented for each different type of vulnerability. Also there's no restriction on the string format. This leads to adhoc categorization of NVTs

This change request proposes to document the family names for each type of vulnerability so that NVT developers can easily map the NVTs to an element in a pre-defined set as in the following,

Families = [
    'Backdoors',
    'Brute force attacks',
    'CGI abuses',
    'CGI abuses : XSS',
    'CISCO',
    'Default Unix Accounts',
    'Denial of Service',
    ]

Effects

This would allow NVT developers to refer to the defined set of families and add new family as and when required.

Design and Implementation

Currently used families

Families = [
    'Backdoors',
    'Brute force attacks',
    'CGI abuses',
    'CGI abuses : XSS',
    'CISCO',
    'Default Unix Accounts',
    'Denial of Service',
    'Finger abuses',
    'Firewalls',
    'FTP',
    'Gain a shell remotely',
    'Gain root remotely',
    'General',
    'Netware',
    'Peer-To-Peer File Sharing',
    'Port scanners',
    'Remote file access',
    'RPC',
    'Service detection',
    'Settings',
    'SMTP problems',
    'SNMP',
    'Useless services',
    'Windows : Microsoft Bulletins',
    'Windows',
    'AIX Local Security Checks',
    'Debian Local Security Checks',
    'FreeBSD Local Security Checks',
    'Gentoo Local Security Checks',
    'MacOS X Local Security Checks',
    'Red Hat Local Security Checks',
    'Solaris Local Security Checks',
    'SuSE Local Security Checks'
    'Mandrake Local Security Checks'
    'Misc.',
    'Web Servers,
    'Local test',
    'Credentials',
    'Windows SMB'
    'Abus de CGI'
    'SLAD'
    'Divers'
    'Databases'
    'D\xe9ni de service'
    ]

Changes

The New List of Families

Families:
- 'Brute force attacks'
  NVT is attempting to discover vulnerabilities that are suceptible to brute
  force methods are categorized into this family. The detection mechanism
  is not limited to attempting brute force methods within itself. If an NVT
  is trying brute force methods to gain access on the target system,
  ACT_ATTACK must be used in script_category().

- 'Web application abuses'
  The vulnerability in question helps to conduct web based attacks such as
  Cross Site Scripting, Cross Site Request Forgery, SQL Injection, File
  Inclusion, Cookie Poisoning.

- 'CISCO'
  NVTs discvering all vulnerabilities related to Cisco devices, IOS,
  Applications and management consoles are categorized into this family.

- 'Default Accounts'
  NVT is attempting to identify the default and dangerous user accounts on
  the target system.

- 'Denial of Service'
  When the NVT is describing any vulnerability that can be exploited to crash
  or deny the service to legitimate users. Note that by categorizing the NVT
  to this family, it doesn't inherently indicate that NVT itself is attempting
  to crash or deny the service. Use ACT_DENIAL or ACT_KILL in script_category()
  for such purposes.

- 'Finger abuses'
  Vulnerabilities related to 'finger' service.

- 'Firewalls'
  NVT is attempting to scan a firewall. Any vulnerability related to firewalls
  can be categorized here, including any other traffic analyzers or malware
  blockers.

- 'FTP'
  All vulnerabilities related to FTP servers or clients.

- 'Gain a shell remotely'
  In case a vulnerability lets the attacker gain the shell remotely for
  reasons other than buffer overflow.

- 'Netware'
  All vulnerabilities related to Novell NetWare and related services.

- 'Peer-To-Peer File Sharing'
  All vulnerabilities in P2P applications, services, protocol violations,
  and any other network compromises due to P2P service.

- 'Port scanners'
  NVT is a port scanner.

- 'Remote file access'
  Vulnerability lets attackers have access to the remote file system.

- 'RPC'
  NVT is describing a vulnerability that can be exploited through an RPC
  service.

- 'Service detection'
  NVT is attempting to discover remote or local service, application, server,
  device etc.,

- 'Settings'
  NVTs that set user preferences through script_add_preference() function.

- 'SMTP problems'
  Detecting vulnerabilities related to mail servers.

- 'SNMP'
  All SNMP related vulnerabilities.

- 'Useless services'
  NVT is identifying services that may not be required to run on the target
  system.

- 'Windows : Microsoft Bulletins'
  NVTs detecting the patch status of Windows systems based on the security
  bulletins released by Microsoft.

- 'Windows'
  NVTs detecting the vulnerabilities in all Windows Operating System
  including other Microsoft products are categorized into this family.

- 'AIX Local Security Checks'
  Local Security checks developed for IBM AIX based on the security advisories
  released for a package update.

- 'Debian Local Security Checks'
  Local Security checks developed for Debian Linux based on the security
  advisories released for a package update. A local security check uses
  SSH as long means to the target system and verifies package update.

- 'FreeBSD Local Security Checks'
  Local Security checks developed for FreeBSD based on the security advisories
  released for a package update.

- 'Gentoo Local Security Checks'
  Local Security checks developed for Gentoo Linux based on the security
  advisories released for a package update.

- 'Mac OS X Local Security Checks'
  Local Security checks developed for Apple Mac OS X based on the security
  advisories released for a package update.

- 'Red Hat Local Security Checks'
  Local Security checks developed for RedHat Linux based on the security
  advisories released for a package update.

- 'Solaris Local Security Checks'
  Local Security checks developed for SUN Solaris based on the security
  advisories released for a package update.

- 'SuSE Local Security Checks'
  Local Security checks developed for SuSE Linux based on the security
  advisories released for a package update.

- 'Fedora Local Security Checks'
  Local Security checks developed for Fedora Linux based on the security
  advisories released for a package update.

- 'CentOS Local Security Checks'
  Local Security checks developed for CentOS Linux based on the security
  advisories released for a package update.

- 'Ubuntu Local Security Checks'
  Local Security checks developed for Ubuntu Linux based on the security
  advisories released for a package update.

- 'Mandrake Local Security Checks'
  Local Security checks developed for Mandrake Linux based on the security
  advisories released for a package update.

- 'HP-UX Local Security Checks'
  Local Security checks developed for HP-UX based on the security
  advisories released for a package update.

- 'Compliance'
  Checks related to various compliance frameworks.

- 'Web Servers'
  NVTs detecting vulnerabilities in any web server or application server.

- 'Buffer overflow'
  A vulnerability is a buffer overflow that lets the attacker execute arbitrary
  code on the remote system and possibly also gain system shell or cause denial
  of service.

- 'Privilege escalation'
  An attacker is able to improvize the access level to gain unauthorized access
  to services, applications.

- 'Credentials'
  NVTs that set credentials such as SMB, SSH using script_add_preference().

- 'Malware'
  NVT is attemping to detect a virus, worm, or trojan including backdoors.

- 'Databases'
  All NVTs discovering Database related vulnerabilities

- 'General'
  NVTs that cannot be categorized into any of the above families are grouped
  into General.

Conventions

TO DO's

History