100 Detections in 100 Days: Part 1 Wireshark
The Starting place
I started my professional career of in networking and there are a set of applications that have been near and dear to me in that. one of those is Wireshark. Wireshark is a network TCP/UDP and other protocols analyzer that helps you make sorts of what is going on.
You can use it many ways both as an administrator or a nefarious agent looking to escrow some data to attempt to crack it later.
In this case though I am going to talk about why Wireshark is a good starting point to talk about Application Vulnerability detection.
Wireshark has easy Application Detection
Wireshark is installed into the ~/Applications directory which makes it easy to detect either through terminal commands such as system profiler, OSQuery an industry leading software on helping discover system metrics, or MDM tools whether using the MDM specification or are agent based like Jamf. The application has a consistent and easy to detect BundleID, Name, and version strings.
Wireshark has Semantic Versioning
One of the best things about Wireshark is they have a solid semantic versioning system. You don't get any curve balls like other applications. They use the primary version strings which can be found via your system terminal, OSQuery, or your MDM of choice. Not many people are aware there are multiple version strings in MDM but Wireshark is an example of an easy one to work with.
Wiresharks Vulnerability Versions Match their System Versions
This will be covered in a future blog post * Cough Microsoft *. One issue that comes up often when attempting to find vulnerabilities in NVD
``` NVD CPE String
cpe:2.3:wireshark:wireshark:*:*:*:*:*:*:*:*
```
or
``` NVD CPE String
cpe:2.3:wireshark:wireshark:$YOURVERSION$:*:*:*:*:*:*:*
```
Wireshark Freely hosts older versions
This one is pretty rare in this space and you would often have to rely on a 3rd party packaging service to acquire older version such as Jamf's Patch Defintions or Alectrona. If you are developing a vulnerability detection system it is trivially easy to give yourself past versions to verify that your detections work.
This will also become a big issue when you deal with the major App Store distributed apps such as Apple or Google's official App Stores.
Wireshark has consistent NVD Reporting
Wireshark reports the app name consistently to the NIST Vulnerability Database. In this case it is an application. Whether you are using LoonSecIO's, NVD's, or VulnCheck's API it is really consistent to find the versions both new and older to understand any risks based on a vulnerability report. Below is some examples of how they are reported.
``` NVD CPE String
cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*
```
or
``` NVD CPE String
cpe:2.3:a:wireshark:wireshark:$YOURVERSION$:*:*:*:*:*:*:*
```
One thing they could do better
Follow the likes of Maven and others and if you are hosting previous versions clearly layout the vulnerabilities you inherit with the downloads.
What did we learn
The very basics of what an application is, what a CVE is, and why Wireshark is an important app. This blog has a long way to go so we will dive into each of these individual concepts in depth later.