On Mon, Jun 10, 2002 at 01:30:10PM -0400, David Ford wrote:
> >No. QueSO is used if you don't have nmap installed / enabled. It's a
> >"better than nothing" solution.
> >
> I have nmap installed on every machine of mine, they are all of similar
> design. nmap is always /usr/local/bin/nmap, it's a tarball I untar on
> each machine. On some machines, nessus sometimes thinks nmap is
> available, sometimes not.
Make sure nmap is in your $PATH before your start nessusd...
[...]
> Honestly, I'd rather have the "nothing" answer than QueSO because it's
> -very- inaccurate.
Few checks really rely on QueSO's (or even Nmap's FWIW) findings
(grep for "Host/OS", and you'll find only 7 scripts use that
information), and there is a good reason for that : you never know what
kind of twisted configuration is set up behind (reverse proxy, reverse
NAT, whatever).
To answer to your questions :
. "Why vendor A says it's critical while vendor B says
it's not ?"
This is a completely subjective issue. Some people don't
care if their php scripts are showing that the physical location of the
remote web root is /home/html/www.foo.org, while others do. Some people
don't care if anyone can get root using the service running on port 1234
because they know only traffic going to port 80 is allowed. And the list
goes on.
There's no silver bullet for classification.
When the new plugin layout will be defined, there will be a a
RISK_FACTOR field, overridable by user prefs. Ideally, in the future,
when you receive your report and Nessus says you have a HIGH
vulnerabilty on port x, you'll be able to right-click on it and
moderate it to "Low", and nessus-the-client will remember that.
This was suggested by Lionel Cons.
. "Some plugins are reliable, and others are not. Even though they
write in BIG in the advisory that the result is not 100% reliable,
I'm not happy"
I was suggested(*) to add an "accuracy" field in the definition of the
plugins, and that makes sense somehow, as you'll be able to sort the
vulnerabilities by accuracy, which may be useful.
. "When will this stuff be implemented ?"
I dunno. However, by the end of the month, I'll be able to give a more
precise roadmap.
-- Renaud
(*) Sorry to the person who made this suggestion, I forgot his name.
