This is a very difficult question. For some people, they call this 'research'. When I did the Dragon IDS, I had no problem looking at a competitor's web site and seeing which checks they did to make sure we had those covered as well. What I did not like is seeing my checks copied verbatim into other vendor's and open_source tools, including the spelling mistakes and errors in the signatures.
If you take N-Stealth's list directly, I would think this would constitute reverse engineering, especially if one of their directory checks is not really real and designed to be a 'honeypot' check so to speak. Consider some rule that checks for '/bo2k_test/cgi-bin/' in their list. How do you know that really is a check that is for a vulnerability they know about?
Ron Gula Tenable Network Security
At 01:42 PM 6/10/2003 -0700, John Lampe wrote:
I downloaded N-stealth, and ran it against one of my apache servers...I then parsed out my logs to see what it was looking for...
It does a bunch of extra unicode checks and it checks for a *crapload* of default directories...
Maybe someone can help me...is there anything wrong with me going through my log files, finding deltas (between Nessus and N-stealth), and adding these to Nessus????
John W. Lampe https://f00dikator.aceryder.com/
----- Original Message ----- From: "~Kevin Davis�" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 09, 2003 7:54 PM Subject: Re: N-Stealth vs. Nessus
> To further that thought, ISS Internet Scanner (6.21/7.0) only covers > slightly over 1,200 vulnerabilities. And several of those are very old > vulns. There is a big difference between having a database of vulns and > properly scanning and identifying them and them being relatively pertinent. > > ~Kevin Davis� > > What possibly could go wrong? > ----- Original Message ----- > From: "Renaud Deraison" <[EMAIL PROTECTED]> > To: "Luman" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Monday, June 09, 2003 9:31 PM > Subject: Re: N-Stealth vs. Nessus > > > > For the record, securityfocus's vuln database > > contains less than 8,000 entries at this time (including non-web and > > local vulnerabilities), and I think ISS's XF database contains ~ 12,000 > > entries (and again, this includes local and non-web vulnerabilities). >
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.488 / Virus Database: 287 - Release Date: 6/9/2003
