Renaud Deraison wrote:
>On Mon, Jun 10, 2002 at 12:27:20PM -0400, David Ford wrote:
>
>
>>I have looked at it. How many of the nessus plugins actualy reference
>>them? Out of 1002 scripts, 318 reference CVE entries.
>>
>>
>
>I don't know how you obtained that figure :
>[renaud@delusion scripts]$ ls *.nasl|wc -w
> 986
>[renaud@delusion scripts]$ grep script_cve_id *.nasl|wc -l
> 578
>
>
Because I grepped for CVE, not script_cve_id. I missed the CAN entries.
Mea culpa.
>[...]
>When it does not do that, it's a bug which should be reported. Once you
>know Nessus is not 100% confident on the result, it's your job, as a
>pen-tester, to verify that.
>
I always do verify it and I know it should be reported. I don't have
time for it yet, that's why I've made it a summer project for myself.
>No. QueSO is used if you don't have nmap installed / enabled. It's a
>"better than nothing" solution.
>
I have nmap installed on every machine of mine, they are all of similar
design. nmap is always /usr/local/bin/nmap, it's a tarball I untar on
each machine. On some machines, nessus sometimes thinks nmap is
available, sometimes not. I haven't had time to figure out why it only
wants to use nmap for a small part of the scan. I know it finds nmap
because it's running as a sub process under nessusd.
Honestly, I'd rather have the "nothing" answer than QueSO because it's
-very- inaccurate.
>
>[....]
>
>
>>Everyone picks their own priorities on tests and results and everyone is
>>interpreting them with sometimes very significant differences. It isn't
>>just plugins that needs commonality, it's the whole process.
>>
>>We the tester suffer the angst of the client because the client argues
>>that your results don't match the previous contractor. Who are they
>>going to believe when everybody gives them something different? How can
>>we argue our case when we know our stuff isn't rock solid?
>>
>>
>
>
>That's why, as a responsible pen-tester, you're bound to manually verify
>everything. If you just enter an IP, click, print the result and ask for
>cash, the something is wrong.
>
I'm not a click and collect tester ;) I can argue the fine points of
things today, but tomorrow I'm not going to have the time to be familiar
with every new hardware device, every new prototocol, etc. I will more
and more rely on my tools to give accurate results because I as one
person simply cannot be aware of nor familiar with -everything-. I can
do research or work full time, trying to do both results in a gradual
but steady degradation.
But I am frustrated from both ends. The client gets varying results and
I don't have any -reliable- tools. Nothing in the industry gives
collaborative reliable results. I know well the problems of software,
I've written software for a long time. I'm not saying that nessus is
bad code, I'm wanting collaborative development of tools, standards.
Nobody can quantify or give an accurate risk assessment because there
aren't any standards to measure deviation.
As the plethura of vulnerabilities (Thank you Mickysoft) grows
significantly every week, doing manual verification on everything will
become effectively impossible. We need to be able to nail things down
as always reliable results so we have time to evaulate everything.
There's no point in doing an assessment of a large network if by the
time the assessment is done it's horribly out of date.
David
