Hello everyone! In this episode I would like to share an update for my Vulristics project.
For those who don't know, in this project I am working on an alternative vulnerability scoring based on publicly available data to highlight vulnerabilities that need to be fixed as soon as possible. Roughly speaking, this is something like Tenable VPR, but more transparent and even open source. Currently it works with much less data sources. It mainly depends on the type of vulnerability, the prevalence of vulnerable software, public exploits and exploitation in the wild.
I started with Microsoft PatchTuesday Vulnerabilities because Microsoft provides much better data than other vendors. They have the type of vulnerability and the name of the vulnerable software in the title.
But it's time to go further and now you can use Vulristics to analyze any set of CVEs. I changed the scirpts that were closely related to the Microsoft datasource and added new features to get the type of vulnerability and name of the software from the CVE description.
So the general process now looks like this:
The profile format is the same as I used to generate Microsoft Patch Tuesday reports.
For Microsoft Patch Tuesday, the profile and report can be generated automatically by setting only the year and month.
And you can easily create a profile to generate a report for any CVE set.
And does it always work? Of course not. As I stated in the title of this project, it works heuristically.
> A heuristic technique, or a heuristic (/hjʊəˈrɪstɪk/; Ancient Greek: εὑρίσκω, heurískō, 'I find, discover'), is any approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect, or rational, but is nevertheless sufficient for reaching an immediate, short-term goal or approximation.
There is no AI magic in it, only the rules that you, as a practitioner, can set within th Vulristics framework. Vulnerability types and product names are searched by name in the rule or a set of additional strings.
Therefore, if some software or type of vulnerability is not found, you can easily add a rule, and next time it will work fine. If you share these discovery rules somehow, we can grow this database together.
When the description-based detect failes Vulristics shown "Unknown Vulnerability Type" or "Unknown Product".
Basically, it can be used with any tool that operates with CVE:
Any other ideas?
That's all for today! If someone wants to participate in the project, you are welcome to write to me on Telegram or in any other social network. Subscribe on youtube, press like buttons and leave your comments.