基于rule的Vuln set带来的数据库存储变化

内容没有多大意义，关键是打破砂锅的心。

/****** Script for SelectTopNRows command from SSMS  ******/
SELECT TOP 1000 [VulnSetID]
      ,[VulnsVersion]
      ,[VulnSetVersion]
      ,[Name]
      ,[Unnamed]
      /*,[Description]
      ,[OrgID]
      ,[Creator]
      ,[CreateDate]
      ,[ModifiedDate]
      ,[VulnChecks]
      ,[EnableWhamScan]
      ,[ScanForWireless]
      ,[EnableShellScan]
      ,[StartWebCrawl]
      ,[SourceSifting]
      ,[SmartGuess]
      ,[SqlHack]
      ,[SourceDisclose]
      ,[EnableBruteForcing]
      ,[BruteForcing]
      ,[JavaAppletDecompile]
      ,[DirectoryBrowse]*/
      ,[VulnSetType]
      ,[VulnFilterXML]  //该字段的内容连接到VulnFilter.xml
      ,[VulnFilterProcessedQuery] //该字段存储的是获取所有Vulns内容的查询语句。
      ,[State]
  FROM [faultline].[ScanComponent].[VulnSet]
  where Name='cmb_default'

当初的的Vuln Set的设置是根据树形结构的勾选，可以通过VulnSetVulns表查询到Vulnset 所勾选的Vulns，但是当使用基于rule的方法之后，在该表中就没有了相应的内容。

一度以为查找错了表，后续想到和其他的Vulnset的不同点就是基于tree和rule的不同，验证后确认，详细查看了Vulnset表，有基于类型不同的字段。

///xml文件的内容

<VulnFilter>
  <Filter expression="( {0}  and  {1} ) and ( {2}  or  {3}  or  {4}  or  {5}  or  {6}  or  {7}  or  {8}  or  {9}  or  {10}  or  {11}  or  {12}  or  {13}  or  {14}  or  {15}  or  {16} ) and ( {17}  and  {18} )">
    <Condition>
      <Column>Intrusive</Column>
      <Operator>equals</Operator>
      <Value>0</Value>
      <ConditionID>0</ConditionID>
    </Condition>
    <Condition>
      <Column>Module</Column>
      <Operator>does not equal</Operator>
      <Value>3</Value>
      <ConditionID>1</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>6</Value>
      <ConditionID>2</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>10</Value>
      <ConditionID>3</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>12</Value>
      <ConditionID>4</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>14</Value>
      <ConditionID>5</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>31</Value>
      <ConditionID>6</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>50</Value>
      <ConditionID>7</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>32</Value>
      <ConditionID>8</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>115</Value>
      <ConditionID>9</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>30</Value>
      <ConditionID>10</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>48</Value>
      <ConditionID>11</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>16</Value>
      <ConditionID>12</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>24</Value>
      <ConditionID>13</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>70</Value>
      <ConditionID>14</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>19</Value>
      <ConditionID>15</ConditionID>
    </Condition>
    <Condition>
      <Column>Category</Column>
      <Operator>equals</Operator>
      <Value>21</Value>
      <ConditionID>16</ConditionID>
    </Condition>
    <Condition>
      <Column>Vulnerability Name</Column>
      <Operator>does not contain</Operator>
      <Value>SSHv1 Protocol Enabled</Value>
      <ConditionID>17</ConditionID>
    </Condition>
    <Condition>
      <Column>Vulnerability Name</Column>
      <Operator>does not contain</Operator>
      <Value>Microsoft Internet Information Services Remote DoS</Value>
      <ConditionID>18</ConditionID>
    </Condition>
  </Filter>
</VulnFilter>

use faultline
select *  //后边就是[VulnFilterProcessedQuery]字段的值，对应的是我们建立的过滤规则

FROM Content.vwVulnCategoryVulnSelectable MasterView WHERE 1=1  AND  ( (MasterView.Intrusive = 0)   and  (MasterView.ModuleID <> 3)  ) and ( (MasterView.VulnCategoryID = 6)   or  (MasterView.VulnCategoryID = 10)   or  (MasterView.VulnCategoryID = 12)   or  (MasterView.VulnCategoryID = 14)   or  (MasterView.VulnCategoryID = 31)   or  (MasterView.VulnCategoryID = 50)   or  (MasterView.VulnCategoryID = 32)   or  (MasterView.VulnCategoryID = 115)   or  (MasterView.VulnCategoryID = 30)   or  (MasterView.VulnCategoryID = 48)   or  (MasterView.VulnCategoryID = 16)   or  (MasterView.VulnCategoryID = 24)   or  (MasterView.VulnCategoryID = 70)   or  (MasterView.VulnCategoryID = 19)   or  (MasterView.VulnCategoryID = 21)  ) and ( ( isnull(MasterView.VulnName, '') not like '%SSHv1 Protocol Enabled%' Escape '!' )   and  ( isnull(MasterView.VulnName, '') not like '%Microsoft Internet Information Services Remote DoS%' Escape '!' )  )