QuIDScor FAQ  

You can also consult the most up to date version of this FAQ online at http://quidscor.sourceforge.net/FAQ.html
  1. What is QuIDScor?
    QuIDScor(TM) is an open source tool for correlating IDS events with
    vulnerabilities detected by QualysGuard.
    QuIDScor allows you to improve the quality of your IDS alerts by matching them
    against the vulnerability assessment data that QualysGuard produces through the
    course of your regular security audits (scans). QuIDScor helps leverage your
    investment in both the QualysGuard platform from Qualys, Inc. and your IDS
    solution, reducing the costs of handling IDS alerts by increasing their
    relevance and prioritizing them.
  2. What is the benefit of QuIDScor?
    QuIDScor helps users prioritize their IDS incident responses by filtering out
    much of the noise created in intrusion detection systems by false alerts.
    QuIDScor helps Snort users:
    * Eliminate a large fraction of IDS false alerts by filtering for absent
      vulnerabilities and inactive services.
    * Leverage vulnerability scanning to lower total cost of ownership for IDS
    * Bring the functionality of an integrated enterprise VA solution to an 
      open source IDS.
  3. How does QuIDScor work?
    QuIDScor receives alerts from the IDS and attempts to validate each alert using
    information obtained through QualysGuard.  IDS alerts are correlated with
    QualysGuard vulnerability information using CVE(R) references and data about
    active services on the target host.
    QuIDScor processes IDS-issued alerts and categorizes them into three main
    categories and sub-categories, which are detailed in the "Output Format and
    Details" section of the README:
      - Validated alerts: Alerts which match vulnerabilities detected by
        QualysGuard on target hosts or give the case there is no ID mapping the 
        port, service or application was mapped and can be verified with the help
        QualysGuard.  These alerts should be treated with the highest
        priority.  By default, these alerts are stored in the
        /var/log/quidscor/alerts_validated.log file.  
      - Unknown alerts: Alerts that are unknown because there is 
        no information provided by QualysGuard for the attacked IP or no ID-mapping
        is available and QuIDScor can not verify the port, service and application 
        due to the fact, that the network protocol doesn't use ports. 
        By default, these alerts are stored in the 
        /var/log/quidscor/alerts_unknown.log file.
      - Invalidated alerts: Alerts for services that QualysGuard has
        identified as not being present or not applicable to the target host.
        By default, these alerts are stored in the 
        /var/log/quidscor/alerts_invalidated.log file.
  4. Which IDS are supported by QuIDScor?
    Snort is the IDS supported by QuIDScor in this release.
  5. Is support available from Qualys for QuIDScor?
    Yes. Qualys will support the original, Qualys distribution of QuIDScor
    for compiling, installation, and configuration for multiple platforms. Other
    distributions are not supported. QuIDScor is not currently supported for
    use with other intrusion detection systems.
    Please report anomalies or other issues to Qualys Customer Support so that
    QuIDScor can continue to be improved. For questions or bugs, please email
  6. How do I fully take advantage of QuIDScor if I'm not a Qualys customer ?
    To try QualysGuard with QuIDScor and Snort, visit http://qualys.com/quidscor
    and sign up for a free trial.
  7. How do I install and configure QuIDScor?
    Please see the README for instructions on installing and configuring
  8. I am getting the Message 'libqg.h:8: header file 'libxml/xmlmemory.h' not found' and make stops with an error. What should I do?
    Libxml is not installed or not correctly installed. For information on the 
    latest version and sources for download, please consult http://xmlsoft.org
  9. During compilation I get a message 'cputype ... i386' and it ends with an error. What should I do?
    This error has been known to occur on default MacOS X installations where
    libcurl is not correctly installed and configured. 
    Please download the latest version of libcurl from http://curl.haxx.se/ and
    install it correctly. Verify that curl-config in your path is the correct one.
    For instance, on a ppc Mac curl-config --libs should not return -arch i386.
  10. During compilation I get the error "parse error before 'u_int32_t'"?
    This error occurs when u_int32_t is not defined on your system. Edit the
    Makefile and remove the comment before "DEFINES+=DNO_U_INTX_T". After
    saving the changes, compile again.
  11. During compilation I get the error "'O_ASYNC' undeclared (first use in this function)"?
    This error occurs when O_ASYNC is not defined on your system. On 
    Solaris for instance, the absence of this mode should be detected 
    automatically. If it does not or you are using another system, edit 
    the Makefile and remove the comment before "DEFINES+=-NO_FCNTL_O_ASYNC". 
    After saving the changes, compile again.
  12. I get an error about my curl or libxml version, what do I do ?
    Download the current recommended version (see README for details) and
    install it. If you do not want to change the default version used by other
    programs, please do the following, replacing paths as necessary:
      gpg curl-7.10.7.tar.gz.asc   # check authenticity of the distribution
      tar xvfz curl-7.10.7.tar.gz  # extract the source
      cd curl-7.10.7
      ./configure --prefix=$HOME/quidscor-dep
      make install
    Then before (re)building QuIDScor, make sure your PATH picks up the new
      PATH=$HOME/quidscor-dep/bin:$PATH                # (for bourne type shell)
      set path=($HOME/quidscor-dep/bin $path) ; rehash # (for csh type shell)
      # go to QuIDScor's source directory
      curl-config --version  # should output libcurl 7.10.6
      which curl-config      # should show $HOME/quidscor-dep/bin/curl-config
      ls -l $HOME/quidscor-dep/share/curl/curl-ca-bundle.crt   # should exist
      make clean all LDFLAGS="--static -L$HOME/quidscor-dep/lib"
      ./quidscor -d -c quidscor.conf
    Expected output:
        libqg: You have specified a wrong username or password.
        Please check your input and try again.
        Error in reply from Server.
    Which is correct because the default login/password in the config file do
    not really exist. If you get something else (still some SSL error), see 
    next section.
  13. I get an error "error setting certificate verify locations" "Verification of SSL-Certificate of Server failed." - What now ?
    There is a problem with your libcurl version. Follow the steps mentioned in
    the previous question. It is likely your certificate bundle isn't installed or
    was moved.
    You might also need to make sure that the library used is indeed the one
    curl-config indicates. Double check the paths for "ldd quidscor" or use "make
    LDFLAGS=--static" to build.
    If you get link errors, you might need to manually adjust the LIBS line as 
    on some systems `curl-config --libs` and `xml2-config --libs` seems to
    generate invalid and/or incompatible values.
    Please report those problems to support@qualys.com so we can update the FAQ and
    address them. When contacting Customer Support please send the full "make"
    output as well as the output of "make versions".
  14. How do I check/troubleshoot the installation ?
    To verify that the system is working, follow these steps:
     - Select an IP that the IDS is monitoring and where a web server is running
     - Connect to this IP on port 80 and type
          GET /cgi-bin/phf
       Or try "curl http://some.server/cgi-bin/phf"
     - The step above should trigger an IDS alert
       QuIDScor output in debug mode will appear like this:
       'Jul 31 08:15:00; [A]; WEB-CGI phf access; Classification: 27;;; Priority: 2; snort-id: 886; 
       CVE/CAN: CVE-1999-0067' will be shown in debug mode
        Snort output will be appear in your snort log file for 
        TCP:*-80 like this:
             [**] WEB-CGI phf access [**]
       This alert will end up in the alerts_verified.log if you have 
       the phf vulnerability on that host. Otherwise, it is sent to the 
    If you don't see an entry, check that it is in your IDS log.  Verify that Snort
    has write permission to the socket. See the README for more information about
    socket permissions.
  15. I see NO-REPORT-FOUND in my logs for a host I just recently finished scanning. Why ?
    To avoid repeatedly querying for the same information, QuIDScor maintains a
    cache of results (see also next question). If you want to force QuIDScor to
    re-query QualysGuard, you can simply remove the corresponding cache file. The
    default location of the cache file is /var/cache/quidscor/{IP_ADDRESS}.
  16. How do I setup QuIDScor to use a proxy connection ?
    QuIDScor uses libcurl, and libcurl can be setup to use a proxy by setting
    the {protocol name}_proxy environment variable. To make QuIDScor connect
    to a proxy to fetch QualysGuard data indirectly, set before starting QuIDScor:
       https_proxy=proxyHost:proxyPort; export https_proxy  # sh syntax
       setenv https_proxy proxyHost:proxyPort               # csh syntax
    You will need libcurl 7.10.6 or later if your proxy requires authentication,
    and specify 'login:password@proxyHost:proxyPort' for the environment variable.
  17. How often does QuIDScor refresh the cached QualysGuard vulnerability information?
    QuIDScor refreshes the cached vulnerability data every 24 hours by default. The
    parameter for the refresh interval is found in the configuration file, and may
    be modified by users as needed. The value is in seconds, and the default value
    is 86400 seconds (i.e., 24 hours).
  18. Can I make changes to the source?
    Sure, that's what Open Source is about! As an open source tool, Qualys expects
    that QuIDScor will be adapted by the community to better meet the needs of IDS
    users. We kindly request you contribute your changes back to the community by
    contacting support@qualys.com.  In addition, if you want to create a derived
    product based on QuIDScor, we'd like to hear about it! See also the community
    pages at: 
    http://sourceforge.net/projects/quidscor and http://quidscor.sourceforge.net/
  19. What does the QuIDScor name mean?
    QUalys IDS CORrelation. Also "What Score" in Latin + English ;-)
Hosted SourceForge.net Copyright (c) 2003, Qualys, Inc. All rights reserved.

See the file LICENSE for information on usage and redistribution of this software, and for a DISCLAIMER OF ALL WARRANTIES.

Generated by faq2html.xsl,v 1.10 2003/10/07 18:31:28 ldemailly Exp $ From FAQ.xml,v 1.29 2003/10/08 05:16:13 ldemailly Exp $