Michael Schmitt wrote: > Hi folks, > > I am confused! I was told that Nessus makes use of Nikto (if it is > installed) so I had a quick look at its man page. To my surprise, nikto > makes essentially the same type of checks that Nessus does. So you can > probably guess my question: Why do we need both tools and not just > Nessus? If their features are overlapping, wouldn't it make sense to > combine them into one product?
Yes they do overlap a decent amount, and I initially thought a Nessus plugin for Nikto was kind of useless... I was swayed by Michel Arboi, (who wrote the plugin), with the argument that Nikto does checks that Nessus may not, and between Nessus/Nikto/Whisker we are hitting just about every conceivable web and cgi check, as each has checks the others may not. Nikto also checks for things that may not be problems but that the admin should be aware of (help pages, etc.), and to my knowledge Nessus does not (only checks for actual vuls). As for combining them into one product... it crossed my mind early on, but I've found that during some audits places will freak if you tell them you're going to run Nessus against their web servers, but since Nikto is "web checks only" and does no DoS checks it doesn't cause so much heartburn (others have told me this as well) (completeness of host audit aside). For reasons like that I will continue to maintain the Nikto/DBs for the forseeable future. Hope that answers some questions. You are of course free to not run the Nikto plugin ;-) -Sullo ___________________________________________________ http://www.cirt.net/ - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
