On Wed, Feb 06, 2002 at 10:27:31AM -0500, Thomas Reinke wrote:
> > clearly can not do any good. Add to this that the scripts on the page
> > are there for educational purposes, not really for installation purposes
> > (as they are not corrected over the time)...
>
> An incredibly easy mistake for anyone to make.
>
> a) The web site until very recently suggested these were the
> latest scripts.
> b) The software that would appear to keep your nessus system
> up to date (nessus-update-plugins) works off the text
> equivalent of this page. (Or at least it did until recently.
> This suggests this page WAS authoratative).
>
> We noted recently the change on this page to say that it is
> "for educational purposes only". This actually ADDS a Nessus
> weakness. The ability to cleanly and easily update your test
> environment (and know WHAT is being updated) is not available
> (arguably never was, but the perception was there that it was).
You have the list of plugins on the website, you download the full
archive, as now emphasized on the webpage. People should not manually
install those plugins, as they're all the initial revision of the
plugin (so they might be subject to bugs).
> If Mandy makes that mistake, I'll guarantee that users that
> want to rely on using an up to date Nessus will also make
> that mistake. The "keep-things-up-to-date" infrastructure
> I suspect needs to be cleaned up a bit, even if its just
> a case of deleting "nessus-update-plugins" (or changing
> its behaviour).
nessus-update-plugins does the Right Thing(tm). Manually downloading
the plugins one after the other clearly is not the way to go.
Also, I stand corrected regarding Mandy - she told me afterwards that
she indeed gave NT credentials to Nessus. There's an issue to
investigate on my side here.
-- Renaud
