On Monday 18 June 2007 18:42:26 Tim Brown wrote: > Ok, so after hacking around with the web site a little and attempting a > build on a clean VM image, my thoughts are turning to the plugins which are > in urgent need of update to check for new vulnerabilties. Some thoughts > from an initial perusal of the tree: > > Merging the local checks for each platform? This can be done, and in fact > I think these checks could be built in an automated fashion, at least on > Debian. What do people think? > > Web application checks appear to be tested rather arbitrarily, with some > checks within application scripts, some in dangerous_cgi.nasl etc... It > all seems a bit haphazard. Now applications is an interest of mine, and > indeed I have a number of checks to add, but what are peoples thoughts > about how to organise these checks? How about with directory traversals > and file include flaws? > > Finally, to what level do people feel it is necessary to check flaws such > as stack and heap overflows? Where possible just validate by version? Or > some more in depth form of check? What happens if we can't get a version > number back from the application? > > My ideal world would be 1 OSVDB entry, 1 script and validate to whatever > level allows confirmation that the bug really exists, but let me know what > you think. > > Tim
Okay, talking to Debian Security folk: svn://svn.debian.org/svn/secure-testing/data/DSA/list Is a machine readable version of the DSA, so I'm going to hack up some perl to generate the scripts next :). Javier, is this useful to the current nessus package in Debian, I'm looking at my install and the latest DSA check is DSA-869. Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
