On Wed, 3 Jan 2001, Carric Dooley wrote:
> I played with it a year ago or so, and the only thing that I found that
> was worse was Cisco's scanner (Net Sonar at the time). I would look at:
> ISS Internet Scanner, CyberCop Scanner, and Nessus (free!!). They all
> have their limitations, but are decent tools.
To be fair, a year is a hell of a long time with a changing product, and
Webtrends has put a lot of effort into their tool in the last 8 or so
months. Also to be fair, all of the mentioned tools fail to find some
things consistantly, or provide a veritable plethora of false positives.
The interesting thing about Webtrends is that it's tests are Perl based
and can be extended pretty easily with new modules to take advantage of
the report stuff. That's extended by the vendor, *or* by the customer.
I'm fairly certain that we didn't get anything proprietary out of them
when we looked at it to see how it extended.
I did think that it was slow on some of its scanning stuff though- but
part of that may have been the scanner taking hostile fire from a somewhat
bored attacker on the same subnet testing some "interesting" attack stuff
;)
We're[0] spending effort normalizing the results between commercial tools
and some free and proprietary ones we use, but it's an ongoing effort, and
doing normalization sucks if you're still back in the "list 800 good old
vulnerabilities and generate a consulting services offer with the results"
mode.
None of the tools "keep up" well, especially on the commercial side, and
some of them report a single problem a dozen ways. Which scanner or
scanners you use really depends a lot on what you expect to do with the
scan results and why you're scanning in the first place, as well as scale
points and criticality of results.
If you're using scanners for local self-testing, it's a good idea to be
one hop away from your target and let a router handle the ARP timeout
issues if you're scanning blindly, especially over a sparsely populated
address range.
Also, for some key vulnerabilities, some tools test only a specific way
which may miss vulnerable systems, so if there are specific
vulnerabilities which are important to you (such as the top N
vulnerabilities for a product or platform), you'll want to look carefully
at what's tested and how (sniffers and logging on a captive target help.)
Paul
[0] TruSecure Corporation, who employs me but doesn't necessarily endorse
my view of things, opinions or conclusions. We may have agreements with
some or all (my recollection is at least half) of the vendors mentioned,
but I'm not sure if we've persued a relationship with Webtrends. NAI who
makes CyberCop is definitely a customer of ours in the ICSA Labs
certification environment for (at least) Anti-Virus and Firewall
products. We don't do public testing or certification of scanners through
the Labs though and the bulk of our scanner usage is on the TruSecure side
of the business. I hate when disclaimers are longer than messages so I'll
shut up now.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
