Hi everybody, Just subscribed to this list because I have a question that I figure you guys have come across before. Hopefully you can save me some time (and a lawsuit or two :) ).
I'm currently adding vulnerability checks to Nmap using the scripting engine. So far, I've been basing them on scripts that people put online without licensing (I don't base them on the code, just on the network traffic). I'd like to add support for other Windows vulnerabilities, though. For example, having a check for ms06-040 would be really nice. However, I can't find any free checkers (and even GPL, without special accommodations, is incompatible with Nmap's license). Even with ms08-067, I'm using a check that's used by Metasploit, but it crashes over 50% of systems, which is definitely not good. Foundstone and Nessus have better ones, but their licensing makes it prohibitive. Which leads me to my question -- I have no interest in looking at the source for checks done by, say, Foundstone or Nessus. However, looking at their network traffic and reproducing their checks can be extremely helpful. But I don't know how licensing works, in this case -- does the licensing on their code apply to network traffic with Windows, or does the licensing end at the sourcecode level? I'd like to add the same checks as them at the traffic level, but I don't want to violate licenses. Can somebody here tell me where the line between violations/fair use is drawn in this case? With the nature of OpenVAS, you must have run across this before. Thank you kindly! Ron -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
