QuIDScor(TM) is an open source tool for correlating IDS events with
vulnerabilities detected by QualysGuard.

QuIDScor allows you to improve the quality of your IDS alerts by matching them
against the vulnerability assessment data that QualysGuard produces through the
course of your regular security audits (scans). QuIDScor helps leverage your
investment in both the QualysGuard platform from Qualys, Inc. and your IDS
solution, reducing the costs of handling IDS alerts by increasing their
relevance and prioritizing them.

QuIDScor helps users prioritize their IDS incident responses by filtering out
much of the noise created in intrusion detection systems by false alerts.

QuIDScor helps Snort users:

* Eliminate a large fraction of IDS false alerts by filtering for absent
  vulnerabilities and inactive services.
* Leverage vulnerability scanning to lower total cost of ownership for IDS
  management.
* Bring the functionality of an integrated enterprise VA solution to an 
  open source IDS.

QuIDScor receives alerts from the IDS and attempts to validate each alert using
information obtained through QualysGuard.  IDS alerts are correlated with
QualysGuard vulnerability information using CVE(R) references and data about
active services on the target host.

QuIDScor processes IDS-issued alerts and categorizes them into three main
categories and sub-categories, which are detailed in the "Output Format and
Details" section of the README:
  - Validated alerts: Alerts which match vulnerabilities detected by
    QualysGuard on target hosts or give the case there is no ID mapping the 
    port, service or application was mapped and can be verified with the help
    QualysGuard.  These alerts should be treated with the highest
    priority.  By default, these alerts are stored in the
    /var/log/quidscor/alerts_validated.log file.  
  - Unknown alerts: Alerts that are unknown because there is 
    no information provided by QualysGuard for the attacked IP or no ID-mapping
    is available and QuIDScor can not verify the port, service and application 
    due to the fact, that the network protocol doesn't use ports. 
    By default, these alerts are stored in the 
    /var/log/quidscor/alerts_unknown.log file.
  - Invalidated alerts: Alerts for services that QualysGuard has
    identified as not being present or not applicable to the target host.
    By default, these alerts are stored in the 
    /var/log/quidscor/alerts_invalidated.log file.

Snort is the IDS supported by QuIDScor in this release.

Yes. Qualys will support the original, Qualys distribution of QuIDScor
for compiling, installation, and configuration for multiple platforms. Other
distributions are not supported. QuIDScor is not currently supported for
use with other intrusion detection systems.

Please report anomalies or other issues to Qualys Customer Support so that
QuIDScor can continue to be improved. For questions or bugs, please email
support@qualys.com.

To try QualysGuard with QuIDScor and Snort, visit http://qualys.com/quidscor
and sign up for a free trial.

Please see the README for instructions on installing and configuring
QuIDScor.

Libxml is not installed or not correctly installed. For information on the 
latest version and sources for download, please consult http://xmlsoft.org

This error has been known to occur on default MacOS X installations where
libcurl is not correctly installed and configured. 
Please download the latest version of libcurl from http://curl.haxx.se/ and
install it correctly. Verify that curl-config in your path is the correct one.
For instance, on a ppc Mac curl-config --libs should not return -arch i386.

This error occurs when u_int32_t is not defined on your system. Edit the
Makefile and remove the comment before "DEFINES+=DNO_U_INTX_T". After
saving the changes, compile again.

This error occurs when O_ASYNC is not defined on your system. On 
Solaris for instance, the absence of this mode should be detected 
automatically. If it does not or you are using another system, edit 
the Makefile and remove the comment before "DEFINES+=-NO_FCNTL_O_ASYNC". 
After saving the changes, compile again.

Download the current recommended version (see README for details) and
install it. If you do not want to change the default version used by other
programs, please do the following, replacing paths as necessary:
  gpg curl-7.10.7.tar.gz.asc   # check authenticity of the distribution
  tar xvfz curl-7.10.7.tar.gz  # extract the source
  cd curl-7.10.7
  ./configure --prefix=$HOME/quidscor-dep
  make
  make install
Then before (re)building QuIDScor, make sure your PATH picks up the new
location:
  PATH=$HOME/quidscor-dep/bin:$PATH                # (for bourne type shell)
  set path=($HOME/quidscor-dep/bin $path) ; rehash # (for csh type shell)
  # go to QuIDScor's source directory
  curl-config --version  # should output libcurl 7.10.6
  which curl-config      # should show $HOME/quidscor-dep/bin/curl-config
  ls -l $HOME/quidscor-dep/share/curl/curl-ca-bundle.crt   # should exist
  make clean all LDFLAGS="--static -L$HOME/quidscor-dep/lib"
  ./quidscor -d -c quidscor.conf
Expected output:
    libqg: You have specified a wrong username or password.
    Please check your input and try again.
    Error in reply from Server.
Which is correct because the default login/password in the config file do
not really exist. If you get something else (still some SSL error), see 
next section.

There is a problem with your libcurl version. Follow the steps mentioned in
the previous question. It is likely your certificate bundle isn't installed or
was moved.

You might also need to make sure that the library used is indeed the one
curl-config indicates. Double check the paths for "ldd quidscor" or use "make
LDFLAGS=--static" to build.

If you get link errors, you might need to manually adjust the LIBS line as 
on some systems `curl-config --libs` and `xml2-config --libs` seems to
generate invalid and/or incompatible values.

Please report those problems to support@qualys.com so we can update the FAQ and
address them. When contacting Customer Support please send the full "make"
output as well as the output of "make versions".

To verify that the system is working, follow these steps:
 - Select an IP that the IDS is monitoring and where a web server is running
 - Connect to this IP on port 80 and type
      GET /cgi-bin/phf
   Or try "curl http://some.server/cgi-bin/phf"
 - The step above should trigger an IDS alert
   QuIDScor output in debug mode will appear like this:
   'Jul 31 08:15:00; [A]; WEB-CGI phf access; Classification: 27; 
   10.40.2.121:51749; 10.40.1.10:80; Priority: 2; snort-id: 886; 
   CVE/CAN: CVE-1999-0067' will be shown in debug mode
    Snort output will be appear in your snort log file for 
    TCP:*-80 like this:
         [**] WEB-CGI phf access [**]
   This alert will end up in the alerts_verified.log if you have 
   the phf vulnerability on that host. Otherwise, it is sent to the 
   alerts_unverified.log.

If you don't see an entry, check that it is in your IDS log.  Verify that Snort
has write permission to the socket. See the README for more information about
socket permissions.

To avoid repeatedly querying for the same information, QuIDScor maintains a
cache of results (see also next question). If you want to force QuIDScor to
re-query QualysGuard, you can simply remove the corresponding cache file. The
default location of the cache file is /var/cache/quidscor/{IP_ADDRESS}.

QuIDScor uses libcurl, and libcurl can be setup to use a proxy by setting
the {protocol name}_proxy environment variable. To make QuIDScor connect
to a proxy to fetch QualysGuard data indirectly, set before starting QuIDScor:
   https_proxy=proxyHost:proxyPort; export https_proxy  # sh syntax
or
   setenv https_proxy proxyHost:proxyPort               # csh syntax
You will need libcurl 7.10.6 or later if your proxy requires authentication,
and specify 'login:password@proxyHost:proxyPort' for the environment variable.

QuIDScor refreshes the cached vulnerability data every 24 hours by default. The
parameter for the refresh interval is found in the configuration file, and may
be modified by users as needed. The value is in seconds, and the default value
is 86400 seconds (i.e., 24 hours).

Sure, that's what Open Source is about! As an open source tool, Qualys expects
that QuIDScor will be adapted by the community to better meet the needs of IDS
users. We kindly request you contribute your changes back to the community by
contacting support@qualys.com.  In addition, if you want to create a derived
product based on QuIDScor, we'd like to hear about it! See also the community
pages at: 
http://sourceforge.net/projects/quidscor and http://quidscor.sourceforge.net/

QUalys IDS CORrelation. Also "What Score" in Latin + English ;-)