SIGVI is an Open Source application, under GPL license, to detect, notify and manage vulnerabilities on you systems.

The basic work flow is:

Also a daily report with the new downloaded vulnerabilities is sent to each registered user.

The servers administrators can follow the alert progress and get all info about vulnerabilities into SIGVI.

The new version has been designed to complain some of the SCAP protocols like CVE, CPE and CVSS.

The SIGVI has been developed at UPCnet , from Politechnical University of Catalonia ( UPC ), Spain.

This is a view of the SIGVI administrator of the main page.

Short description of the most interesting features

Vulnerability Sources

The SIGVI uses vulnerability sources to download / receive the updates of the vulnerabilities. Periodically, the application connect to the sources, using their plugin, get the vulnerabilities and store them into the SIGVI database. Those vulnerabilities are available through one of the pages from SIGVI, with search options.

The vulnerability system is based on plugins, so you can define your own sources format inheriting the main source class and write two functions to read and loop rows, but don't worry, because, by default, the application suports the NVD(National Vulnerability Database: nvd.nist.gov ) format.

Vulnerability Daily Report

After the vulnerability loading process, SIGVI will send a report of the new or updated vulnerabilities to each user using their filter .

Product database

The products that we associate with our servers are stored into a table from the SIGVI database.
These products are automatically updated for each new loaded vulnerability (new products are inserted).
Initially, the products are downloaded from the NVD products dictionaries.

Software installed on servers

SIGVI needs to know which software is installed on each server to determine when a software is vulnerable.

The basic way is doing it manually, so you have to enter the basic services (for example those which are accesible remotely) on each server.

To avoid this work, we have started a new project called NSDi (Network Services Discoverer), which main funcion is to adquire the software list of each server.
NSDi uses plugins to adquire this list, for now only a plugin based on the nmap command is available.
Now this project is in alpha status, and the last releases of SIGVI can be integrated with it.

Alerts and notifications

Once the vulnerabilities has been loaded from sources, SIGVI will perform the comparison between the software list of each new vulnerability and the software that we have associated on each server, using the server filter (if any).
For each vulnerability affecting one product on one server, SIGVI creates a new alert .

For each alert, SIGVI calculates a Risk Factor, based on the risk properties of the vulnerability (CVSS vector, ...) and the properties of the service (the product on this server).
For example, is not the same a vulnerability that affects a pdf library than a vulnerability that affects a openssl library.
This Risk Factor will help us to know how serious is each case.

So we have an alert repository and historic.

When the process has finished, SIGVI will send a notification for each alert to the administrator of the server that is affected with information of the vulnerability and a link to the alert repository.

Filters

The filters are used to determine when to notify about a vulnerability and which type of vulnerabilities will be checked on each server.
For example, you you can define a filter to pass only those vulnerabilities which can be exploided remotely.
If you associate your user to this filter on your user, your Vulnerability Daily Report will contain only those vulnerabilities that are remotely explotable.
If you associate this filter to one server, then only will be checked those vulnerabilities that are remotely explotable.

Notification methods

How notifications are sent is defined by the notifications plugins. By default there is only one: email, but you can define your own, for example to create a ticket on the incidents database of your environment.

Vulnerability repository (SCAP Compliance)

All vulnerabilities loaded from SIGVI are inserted into the database, so a vulnerability repository will be accesible with search options.
Each row is linked with the definition on the source (NVD) and with the detail of this vulnerability.

Reports

One of the new and powerful functionalities of the last version of SIGVI are the reports. Reports are build using predefined TAGS which can be added by a global Administrator.

Reports allow users to subscribe to reports that are generated dynamically and the info is set for each user depending on its access level, group, etc.

Other functionalities

Database abstraction

The application is implemented above a database layer so you can use any SQL compliance database server (MySQL, Postgres, SQL Server, Oracle, Informix, ...)

User authentication

Users can be internal (username and password defined in users table) or external (authentication made via LDAP, DBMS, or your own).

Multi language

By default English and Catalan are suported. Translate it to your own language.

User levels

Three levels are defined:

- Sigvi Admin: Full access

- Group Admin: Manage group users and validate alerts

- Server Admin: Final user, who really works with data (servers, services, alerts, ...)