Re: [Openvas-discuss] Concept for OpenVAS homepage
Hi, I just put online a initial coarse web site at www.openvas.org I did it right away because due to various complains, anything else seems better than the default page of GForge. To change the homepage, ones needs to check out the code in module doc/website and then (on a unixoid system): $ make $ make online For the latter you need to have SVN write access, because the same account is used to writing web site content. So, it easy to work on the web site. Anyone welcome who volunteers to improve. On Friday 27 April 2007 17:05, Jan-Oliver Wagner wrote: Elements that should appear on the main page: - OpenVAS Logo See here for the logo that has been proposed in 2006, but not finally agreed upon. http://www.36hrs.com/openvas-dino/logo.png I used the one we discussed. However, in case we use this logo, we definitely need a vector version. Still missing. - About area - A short description of OpenVAS. For example: OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner. It consists of a server component and a set of plugins to test various vulnerabilities in remote systems and applications. It is Free Software under GNU GPL and a fork of Nessus. I simply applied this draft. - A drawning that roughly illustratates the plugin flow. I could draft something. Still to come. - Download area: OpenVAS Server, Clients, Documentation Both, binary packages and source codes. (current binaries directly, all others on a download subpage) well, not yet of course. - Plugins area: Total number of available plugins infos about latest plugins (integrated as RSS feed) also not ready yet. - Support area - link to mailing lists - link to where report errors - link to howto's - link to FAQ - link to professional support page Partly available yet. - a cool photo that makes the whole page nice I do not have anything special in mind and would be happy about any proposal that could fit for OpenVAS project. Please help and send cool photos ! - Which techology to use? Perhaps just plain HTML files? Just used m4 + make for a little pre-processing. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Ideas and wishes for future improvements of OpenVAS
On Wednesday 16 May 2007 21:00, Kenneth Ng wrote: - Plugin severity override: some places value some vulnerabilities more than others. For example: some places rank anonymous CIFS connections as vital to their business. Others say its a big risk. Having a front end to override the degree instead of patching the plugin would be nice. perhaps this is related to the false-positive marking discussion I remember to have read somewhere. Anyway, a good point. - An option to say: do not add new plugins to the .nessusrc file. Or maybe, add all new ones as no. Sometimes I want to run a given set of plugins periodically. I don't want all new ones to also get run. I remember to have read this wish before. Yes, I stumbled across this already myself. - Ability to do a diff between two scan results. A long-standing wish indeed. IMHO this should have high priority. It is a client-side feature though. So maybe to implement in NessusClient. - database option for the results. IIRC there even is/was a branch in Nessus CVS with this feature? Perhaps worth investigating this. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Summary of ideas for future OpenVAS functionalities
Hello, thank for all of your feedback. I summarized the ideas (see below) that arrived so far. I propose to put the list on the www.openvas.org website under something like Brainstorm for future OpenVAS functionalities. It should be noted that it is post-1.0 plans and that the roadmap for post-1.0 will pick from this list. Anyone volunteering to do this? Best Jan - Plugin severity override: Some places value some vulnerabilities more than others. For example: some places rank anonymous CIFS connections as vital to their business. Others say its a big risk. Having a front end to override the degree instead of patching the plugin would be nice. This is related to ideas about fals-positive marking. - Configurable option Don't automatically add and run new plugins: An option to say: do not add new plugins to the .nessusrc file(s). Or maybe, add all new ones as no. Sometimes I want to run a given set of plugins periodically. I don't want all new ones to also get run. - Direct support of Database: OpenVAS Server should optionally write results into a database. It is to be discussed whether this is done additional to sending the results via Nessus Protocol. Also the question is open whether the server manages access to the database directly or whether users submit DB connection and authorization details so that the data are written there. - Re-connnect to running OpenVAS scans: OpenVAS should run in the background without a permanent connection to the client. Re-connection should then allow to get the results. Email notification at scan completion is helpful as well. - New Client-Server protocol: Replace the old Nessus Protocol by something based on standard protocol technologies and iron out current weaknesses like the chracter encoding. - Trace function: Show sets of queries. Each query is composed of the rule that was used, the destination IP and port, the data sent, and the data returned. This will make it easier to determine false positives. - Improved NASL debugging - Condensed Plugins: E.g. all the Debian local security checks could be condensed into few (for each year). It is not clear yet which other implications this might mean. - Generic Plugins Plugins with some heuristics to generically detect weaknesses in web applications. -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Summary of ideas for future OpenVAS functionalities
On Thursday 24 May 2007 22:13, Javier Fernández-Sanguino Peña wrote: On Thu, May 24, 2007 at 09:39:37PM +0200, Jan-Oliver Wagner wrote: However, I don't have any CVS access to nessus-core anymore. Anonymous access has been already switched off some time before that. Well, I still have my local CVS copy. great :-) So, I am afraid there it is not really easy to simply retrieve the code. The tar-ball releases of Nessus-2 are only snapshots of HEAD. Also the OpenVAS modules did take a snapshot of HEAD and not of any branches. Attached is a diff I've just made of NESSUS_SQL vs. the 2.2.5 release. I think the database integration was not tested with this release. Of the top of my head, I think I did test the code in 2.2.3 and worked with MySQL. There are some known issues with the code, however, see the TODO. good. Perhaps Oliver may take a closer look at it. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] (no subject)
On Friday 18 May 2007 09:25, Renaud Deraison (lists) wrote: I have been contacted by Tenable. They are pretty sure some plugins in openvas-plugins module are present that should not be there due to never being GPL licensed. Basically it should at least be anything that matches grep -i script_copyright.*Tenable.* scripts/* Just a clarification : I was referring to the list of plugins seen in the email than Jan sent to openvas-devel : http://lists.wald.intevation.org/pipermail/openvas-devel/2007-May/000315.html Whereby some plugins such as the Veritas Netbackup plugins have never been released in the GPL feed and whose release post-dates our license announcement nearly by a full year. not sure whether there is a misunderstanding here: The list I posted named proprietary plugins we are missing to reactivate GPL plugins. So it is even absolutely correct the veritas*.nasl appear on this list. In other words, none of the listed plugins is present in openvas-plugins/scripts. Including any veritas*.nasl which I just double-checked to make sure my analysis script is not buggy ;-) Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] DebConf
On Saturday 09 June 2007 00:56, Oliver Day wrote: On 6/1/07 11:54 AM, Jan-Oliver Wagner wrote: On Wednesday 30 May 2007 01:20, Tim Brown wrote: Anyone thinking of attending DebConf this year? I'm going and will be wearing my OpenVAS hat when appropriate. One thing I'm aiming to tackle is the delisting (or rather the never listing) of OpenVAS as an SPI project, since as far as I know we never made it to their project list on the web site. Other than that, I'll be at various security related talks (see my web site blog for more details) if anyone fancies catching up and shooting the breaze. I'm afraid I could not be at DebConf. However, it would be really good if you could revive the dialog with SPI and hopefully convince them to adopt OpenVAS as a project. Maybe contact Neil prior to the conference to prepare this? While I won't be able to attend DebConf I am interested in restoring SPI status to our project and pinged a friend of mine on this. We have an active and interested group to maintain this project now but what we lack is a democratic decision-making structure to deal with issues such as money. I think with the latter in place we could approach SPI again and ask them to restore our status. DebConf is two weeks away which gives us just enough time to elect a decision making structure. All in favor? absolutely :-) IIRC there was a formal description of decision making structure before the server crashed. Maybe it needs just to be restored as well? Tim and Robert should know ... Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OpenVAS Roadmap
On Monday 11 June 2007 15:49, Jan-Oliver Wagner wrote: I converted the recently collected ideas for future importments into HTML, added the idea by Robert Rich and also a planned release date for OpenVAS 1.0 and created a web page http://www.openvas.org/roadmap.html It is not linked from the main page yet. now it is :-) Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] possible sources for security issue announcements
On Dienstag, 3. Juli 2007, Tim Brown wrote: On Tuesday 03 July 2007 09:32:33 Meike Reichle wrote: I've been following the discussions on this list for a while and thought I might finally have something to contribute. Over here at DN-Systems we are currently thinking about automising the plugin development process as much as possible. For that I've prepared a list of different sources for security issue and vulnerability announcements. Maybe you can use it for the OpenVAS feeds? Sounds good, I agree that it would be very nice to automate plugin development. I've been working on doing just that with Debian's security advisories. indeed a helpful overview. I attached an overview table, if you have any additions or corrections to it let me know and I'll update it. Also, how about putting this as HTML on openvas.org? If you supply me with the HTML I'll add it to the web site. Thanks Tim. I second this. I'd like to have the overview document on our SCM under doc/ so we can maintain it easily. Meike: Would you send me the source file for this (off-list)? Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OpenVAS project to take over NessusClient 1.X ?
On Freitag, 29. Juni 2007, Oliver Day wrote: On Fri, 29 Jun 2007, Jan-Oliver Wagner wrote: as some of you might have seen, Tenable has released a new generation of NessusClient (3.0). It has nothing in common with the NessusClient 1.x generation. It is a complete rewrite (based on QT) and it is proprietary. Renaud has sent me an archive file of the NessusClient repository. So we could continue with this client as Free Software easily and not loosing CVS history. However, some questions arise: - should we add the client to the OpenVAS code repository as a module of its own? (IMHO yes) - We need a new name to not conflict with the proprietary NessusClient. Some simple ideas (please come up with better ones): OpenVAS-Client OVAS-Client VASC openvas_client (it is sort of rubyish but i like it) hm, underscores are a bit uncommon. After some thinking, my preference is OpenVAS-Client. This has the lowest potential for misinterpreting. NTP-Client would be even more exact, but has some confusion on board. I've no one objects soon, I will import the code of NessusClient into the OpenVAS repository as module openvas-client. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Roadmap for OpenVAS-Client
Hello Javier, On Thursday 05 July 2007 19:23, Javier Fernández-Sanguino Peña wrote: On Thu, Jul 05, 2007 at 05:02:05PM +0200, Jan-Oliver Wagner wrote: Any other consideration for a initial 0.9.0 release? Have a OpenVas-client Debian package available? Note that I sent a while back Debian packages for nessusclient (see http://ftp-master.debian.org/new.html) so it might be trivial to adapt the 'debian' directory to make packages for OpenVAS-client and have them in Debian at the same time as the 0.9.0 release. yes, that is a good point. NessusClient can be dropped anyway now since there is only proprietory versions left. OpenVAS-Client ist the way to go. I will try my very best to support the Debian package, but I'd appreciate any help as well! Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Roadmap for OpenVAS-Client
On Friday 06 July 2007 16:54, Javier Fernández-Sanguino Peña wrote: On Fri, Jul 06, 2007 at 09:07:07AM +0200, Jan-Oliver Wagner wrote: On Donnerstag, 5. Juli 2007, Javier Fernández-Sanguino Peña wrote: On Thu, Jul 05, 2007 at 10:09:23PM +0100, Tim Brown wrote: I'm more than happy to work on packing the client for Debian. I already package arp-scan and sucrack for Debian. We can co-maintain it, after all, I already provide the Nessus packages and would gladly provide OpenVAS packages too (or instead of). IMHO OpenVAS will indeed replace Nessus simply because it is not legal to dsitribute Nessus packages compiled with OpenSSL. How so? There is a OpenSSL exception to the Nessus GPL license for that. I thought so too for a long time, but when preparing OpenVAS for release I was made aware of my mistake. The OpenSSL Exception intentionally is only given for the client, not(!) for the server. You will find the file COPYING.OpenSSL only in the nessus/ directory of nessus-core. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Some last Plugins license issues (urgent)
On Thursday 26 July 2007 00:48, [EMAIL PROTECTED] wrote: Quoting Javier Fernández-Sanguino Peña [EMAIL PROTECTED]: In any case, they do not have proper GPL (or any other license) headers (nor do many other NASL plugins, BTW). Once we clear up the legal status of these plugins we should ensure that they all have proper license headers. Indeed. If possible we can even resubmit incorrect ones back to the Nessus GPL feed with correct licenses. I'd prefer to get things done for OpenVAS first. Is it possible for Renaud (et al) to clarify the status of the plugins listed earlier for us? IIUC, all is clearified through the releases that have been done in the past. We only need to check back when in doubt. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Creation Process for Network Vulnerbaility Tests
On Dienstag, 16. Oktober 2007, Jan-Oliver Wagner wrote: I drafted a process outline for the creation of OpenVAS NVTs and put it here: http://www.openvas.org/creation-process-nvt.html It is neither checked into SVN yet not linked from the hompage. no it is :-) Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] [EMAIL PROTECTED]: o penvas-client_1.0.0-2_i386.changes REJECTED]
On Sunday 21 October 2007 02:53, Javier Fernández-Sanguino Peña wrote: As you see in the email below, the openvas-client package was rejected from Debian based on the contents of doc/WARNING.En, this document describes the risks of running Nessus and starts saying: hm, these files were present in NessusClient and Nessus-Server as well. However, only way out is to remove doc/WARNING.[En|Fr] from openvas-client and openvas-server. Next we have to remove README_SSL from openvas_server which contains a similar phrase. I guess there is no alternative. So, I will remove the files. Javier/Tim: Could you patch out the two files for the time being? The next releases will take some time. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] latest nessus-plugins tar-ball t hat still contained Debian local security checks ?
On Donnerstag, 1. November 2007, Javier Fernández-Sanguino Peña wrote: On Mon, Oct 22, 2007 at 09:10:26AM +0200, Jan-Oliver Wagner wrote: Anyone has this in his/her archive? I might have it, what file are you specifically looking for? In any case, I believe these plugins are in the nessus-plugins package in Debian. Have you taken a look at the contents of that one? so far I found these: 4b2710dfb7d7957145b6f101edfba7a7 nessus-plugins-GPL-2.2.5.tar.gz 96198eeba6acfc2ac89781128564d27b nessus-plugins-2.2.6.tar.gz ff542c72fd070f1f0d41c964a4bbb373 nessus-plugins-2.2.9.tar.gz 2bac30f702c4a794a29660b8e9dd1077 nessus-plugins_2.2.9.orig.tar.gz 8668cd64379731d6876d93b96f45d9b8 nessus-plugins-2.2.10.tar.gz Interestingly enough the 2.2.9 md5sum differ. But I haven't tracked this down yet. What I tried to find is in fact a package signed by Renaud, but maybe he never signed them. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
Hello Javier, thanks for your license audit scripts! On Donnerstag, 1. November 2007, Javier Fernández-Sanguino Peña wrote: If somebody wants to get Tenable to add proper license headers to *all* of their plugins (nasl) and include files conforming to what has been done in the past (GPL releases of the nessus-plugins package and GPL feeds) I can provide them with 4 year's worth of code (from the 1.3.1 to present) to dig in and sustain his/her arguments with. I don't think this is really worth it to seek for an overall solution. Maybe it will be interesting for single scripts, if at all. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
On Donnerstag, 1. November 2007, Javier Fernández-Sanguino Peña wrote: Since OpenVAS is based on the 2.2.9 release and, specially, on the Debian packages I wrote for that release, it might be worthwhile to do this review too. The output of the 'audit-plugins' script might be useful and could be a start point to cleaning the scripts/ dir of non-free stuff. here is the result we have to work on (there might be some false positves though): Looking for non-free plugins... NON-FREE plugin sasser_virus.nasl found NON-FREE plugin scan_info.nasl found NON-FREE plugin ssh_settings.nasl found NON-FREE plugin zope_multiple_flaws.nasl found NON-FREE plugin aix.inc found NON-FREE plugin backport.inc found NON-FREE plugin crypto_func.inc found NON-FREE plugin default_account.inc found NON-FREE plugin dump.inc found NON-FREE plugin http_keepalive.inc found NON-FREE plugin imap_func.inc found NON-FREE plugin misc_func.inc found NON-FREE plugin nfs_func.inc found NON-FREE plugin pop3_func.inc found NON-FREE plugin rpm.inc found NON-FREE plugin smb_file_funcs.inc found NON-FREE plugin smb_nt.inc found NON-FREE plugin solaris.inc found NON-FREE plugin ssl_funcs.inc found NON-FREE plugin telnet_func.inc found NON-FREE plugin url_func.inc found 21 NON-FREE plugins found Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
On Dienstag, 6. November 2007, Jan-Oliver Wagner wrote: On Freitag, 2. November 2007, Jan-Oliver Wagner wrote: On Donnerstag, 1. November 2007, Javier Fernández-Sanguino Peña wrote: Since OpenVAS is based on the 2.2.9 release and, specially, on the Debian packages I wrote for that release, it might be worthwhile to do this review too. The output of the 'audit-plugins' script might be useful and could be a start point to cleaning the scripts/ dir of non-free stuff. here is the result we have to work on (there might be some false positves though): After some cleanup this remains: Looking for non-free plugins... NON-FREE plugin backport.inc found NON-FREE plugin default_account.inc found NON-FREE plugin http_keepalive.inc found NON-FREE plugin imap_func.inc found NON-FREE plugin misc_func.inc found NON-FREE plugin nfs_func.inc found NON-FREE plugin pop3_func.inc found NON-FREE plugin smb_file_funcs.inc found NON-FREE plugin smb_nt.inc found NON-FREE plugin ssl_funcs.inc found NON-FREE plugin telnet_func.inc found NON-FREE plugin url_func.inc found 12 NON-FREE plugins found Each of these will deactivate some or even many of the nasl scripts when removed. Well, we do not have an option right now, so these inc-files have to be removed from the SVN repository. done now. -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
On Mittwoch, 7. November 2007, Javier Fernandez-Sanguino wrote: 2007/11/6, Jan-Oliver Wagner [EMAIL PROTECTED]: | ...done | 1597 FREE plugins that depend on NON-FREE found | Please fix this and rerun the script of course, the number is incorrect if run in a SVN checkout. ¿Why is it incorrect? e.g.: ... Checking for use of backport.inc... 31 files depend on this NON-FREE include file: ../scripts/.svn/text-base/php_split_mime.nasl.svn-base ../scripts/.svn/text-base/apache_conn_block.nasl.svn-base ../scripts/.svn/text-base/openssh_channel.nasl.svn-base ../scripts/.svn/text-base/samihttp_1_0_4.nasl.svn-base ../scripts/.svn/text-base/apache_log_injection.nasl.svn-base ../scripts/.svn/text-base/openssh_uselogin_environment.nasl.svn-base ../scripts/.svn/text-base/apache_mod_proxy_buff_overflow.nasl.svn-base ../scripts/.svn/text-base/apache_mod_include_priv_escalation.nasl.svn-base ../scripts/.svn/text-base/mod_ssl_hook_functions_format_string_vuln.nasl.svn-base ../scripts/.svn/text-base/ssh_forwarding.nasl.svn-base ../scripts/.svn/text-base/openssh_afs.nasl.svn-base ../scripts/.svn/text-base/apache_access_wo_netmask.nasl.svn-base ../scripts/.svn/text-base/apache_htpasswd_overflow.nasl.svn-base ../scripts/.svn/text-base/apache_input_header_folding_dos.nasl.svn-base ../scripts/.svn/text-base/php_strip_tags_memory_limit_vuln.nasl.svn-base ../scripts/.svn/entries ../scripts/php_split_mime.nasl ../scripts/apache_conn_block.nasl ../scripts/openssh_channel.nasl ../scripts/samihttp_1_0_4.nasl ../scripts/apache_log_injection.nasl ../scripts/openssh_uselogin_environment.nasl ../scripts/apache_mod_proxy_buff_overflow.nasl ../scripts/apache_mod_include_priv_escalation.nasl ../scripts/mod_ssl_hook_functions_format_string_vuln.nasl ../scripts/openssh_afs.nasl ../scripts/ssh_forwarding.nasl ../scripts/apache_access_wo_netmask.nasl ../scripts/apache_htpasswd_overflow.nasl ../scripts/apache_input_header_folding_dos.nasl ../scripts/php_strip_tags_memory_limit_vuln.nasl ...done ... Next, what am I asked to fix here? Implement the inc files? ;-) Well, I have *removed* them in the Debian nessus-plugins package or, in some cases, replaced them with *older* versions which did not include the inc files. With some grep+find magic you can do this in a semi-automatic way (by running the script under different releases and finding which scripts do not show up as depending on unavailable inc files in those). yes, I fear we need to go through the scripts and do this work. It is probably best to organize this process in a way that certain groups of scripts are adressed and being worked on. I choose the Debian local security checks as a group to get them running as good as possible. And they do, based on the debian_DSA* from nessus 2.2.10 and support nasl and inc files I assembled from older version, were contributed by Thomas or wrote myself. You might want to take a look at the Debian patches of nessus-plugins 2.2.10 (available at packages.debian.org) to see which scripts I replaced with older versions. I have these packages over here and always use them for comparison puposes. IMHO this has more informative character than a license problem. Am I wrong? If you leave these in and distribute them whenever the OpenVAS server starts it will complain (when loading the NASL files) that it does not find the .inc files X, Y or Z. Since the NASL scripts will not be enabled (and run) in the server it makes more sense to either remove them or not distribute them (excluding them from the tar.gz that gets built but keeping them in the sources) I'd vote for leaving them in as long as the we have not reached 1.0.0 of openvas-plugins. But maybe even keep them in but not sign them. Or clearly communicate which groups of NVTs we have verified to be complete. We have several options apparently. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OpenVAS-is-alive PR?
Hi, I now submitted the german news. Lets see whether it is interesting enough to publish and hope it will not be modified too much. On Dienstag, 20. November 2007, Robert Berkowitz wrote: The press release looks good! I also agree the wording is good. Spells out what OpenVAS is and steps taken to keep it open source. I know some PR people over here in the states that can give us some tips when we are ready for a larger campaign. nice. However, before a larger compaign might start, we need to start continous work on NVTs ... ... any thoughts on how to organize this are welcome. Maybe we can find people who take over repsonsibility for certain families. What I can do it to make life of NVT developers as easy as possible and support them with helpful tools. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Progress on Debian uptake of OpenVAS?
Javier, Tim, any news about the progress of the Debian uptake of OpenVAS client and server packages? Anything I can do? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Progress on Debian uptake of OpenVAS?
On Dienstag, 27. November 2007, Tim Brown wrote: On Friday 23 November 2007 22:23:01 Jan-Oliver Wagner wrote: Javier, Tim, any news about the progress of the Debian uptake of OpenVAS client and server packages? Anything I can do? IMO we have resolved the copyright issues with the client package. We do however need to resolve the issue with including our own gdchart. I'm more than happy to take a look at it, but I wondered what the collective wisdom was on this task. Can I simply remove the existing gdchart directory from subversion and then patch the build process to use the system installed equivalent. This strikes me as the cleanest approach but might also lead to temporary breakage of the version in SVN for other distros. Any thoughts? AFAIU, it was only requested to link the system lib, not to remove the internal copy. IIRC, this is already the case for the old nessus-core packages. May serve as an example. As for the server, I've just been building a new VM in which I can work on OpenVAS developments, so I'll hopefully start packaging the server components this week. That'll be great. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] NASL scripts to retrieve Windows registry information?
Hello, seems like the base NASL script to retrieve Windows registry (and possible other information) as a base for other tests (local secerity checks among others) is not released as Free Software. Does anyone know how complex it will be to rewrite such a script? (I am not really a Windows expert). I found various GPLed scripts that use some Registry information form the knowlege base. Reactivating these would be helpful. Also we could then develop scripts for the MS patch days. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Progress on Debian uptake of OpenVAS?
On Montag, 10. Dezember 2007, Javier Fernández-Sanguino Peña wrote: On Tue, Nov 27, 2007 at 08:34:14AM +, Tim Brown wrote: IMO we have resolved the copyright issues with the client package. We do however need to resolve the issue with including our own gdchart. I'm more than happy to take a look at it, but I wondered what the collective wisdom was on this task. Can I simply remove the existing gdchart directory from subversion and then patch the build process to use the system installed equivalent. This strikes me as the cleanest approach but might also lead to temporary breakage of the version in SVN for other distros. Any thoughts? I think it's best if the Debian package simply patches the build process and leaves gdchart there. Just like it's done with Nessus currently. If you make the changes please upload new packages to mentors.debian.net and I will review and upload them (again). Tim: I haven't looked into the nessus-core patch for gdcahrt, but if it is a general solution to the autotools (i.e. use system gdchart if available, own else), I suggest we add it to SVN before doing the 1.0.2 release. Lets hurry up with these packaging issues. I expect some maintainer to have some time over christmas days and if we prepare everything for them, they could finally get packages in place. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Debian openvas-client package
On Samstag, 29. Dezember 2007, Javier Fernández-Sanguino Peña wrote: And I have just uploaded to Debian's queue. which was the observer URL, btw? I did not find it at a quick search. -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Debian openvas-client package
On Sunday 06 January 2008 04:41, Javier Fernández-Sanguino Peña wrote: On Fri, Jan 04, 2008 at 03:47:56PM +0100, Jan-Oliver Wagner wrote: On Samstag, 29. Dezember 2007, Javier Fernández-Sanguino Peña wrote: And I have just uploaded to Debian's queue. which was the observer URL, btw? It's this one: http://ftp-master.debian.org/new.html I did not find it at a quick search. Do not search anymore: http://packages.debian.org/openvas-client :-) cool! now for openvas-libraries? ;-) Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] openvas-client etch backport
Hi, we've created a Debian etch backport for openvas-client and made it available here: http://apt.intevation.de/dists/etch/openvas/ Dies anything speak against adding this to http://www.openvas.org/openvas-client.html and make an announcent to openvas-announce? (note that I'd like to eventually get rid of the debian apt tree on www.openvas.org, because this causes some trouble such as file permission problems). Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] openvas-client etch backport
On Freitag, 11. Januar 2008, Javier Fernandez-Sanguino wrote: 2008/1/11, Jan-Oliver Wagner [EMAIL PROTECTED]: we've created a Debian etch backport for openvas-client and made it available here: http://apt.intevation.de/dists/etch/openvas/ I can upload backports to the official Debian repository for backports if those are wanted (http://backports.org). Did you do anything special to the official Debian packages or did you just compile them in a Debian 'etch' chroot? we simply rebuild with pbuilder. backports.org would be really cool as primary OpenVAS etch source. However, I think it would be good to keep a special OpenVAS apt server for people who do not want to involve backports.org in their sources.list. But that is not a problem, on our web page we can list several sources. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] (Re)Activation of openvas-plugins mailing list as focal point for coordinating NVT developments
Hello, since I got more and more offlist communication about NASL scripts development, I think it is a time to (re)activate the mailing list openvas-plugins which should be the focal point for coordination of NASL development effords from now on. Maybe we eventually need a more formalized process to coordinate this development, but I think loose coordination on a mailing list will work out for the time being. So please subscribe to this mailing list if you are interested in NASL script developments and post any related topic there. openvas-devel should then remain a focus for the actual OpenVAS server, client and related software. All the best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] [Openvas-devel] Change Requests: Formalized procedure for feature changes?
Am Sonntag, 17. Februar 2008 01:11:05 schrieb Tim Brown: The work flow should be as follows, IMO: Initial request via tracker or mailing list - Request is discussed in tracker and debated on list with any substantial points imported into tracker - Consensus reached, developer documented change request uploaded to http://www.openvas.org/ - Work done to implement change, with updates to tracker and lists as appropriate sounds good. I would also suggest that the change requests link back to the relevant tracker entry. this is a very good idea. Also links to mailing list discussions. I've added this to the CRs now. Best Jan ___ Openvas-devel mailing list [EMAIL PROTECTED] http://lists.wald.intevation.org/mailman/listinfo/openvas-devel ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] [Openvas-devel] Compile warnings
Hi Laban, Am Samstag, 16. Februar 2008 17:20:59 schrieb Lmwangi: Started hunting for warnings to fix based on their severity, flawfinder -S -m 5 gives me an TOCTTOU alert for chmod'ing of the sockets: openvas-libraries/libopenvas/bpf_share.c:368 ./openvas-libnasl/nasl/nasl_server.c:92 Done abit of research and it seems like fchmod on sockets ends up in undefined behaviour.. http://www.opengroup.org/onlinepubs/009695399/functions/fchmod.html http://72.14.205.104/search?q=cache:eIrjutZ5XAgJ:www.cs.helsinki.fi/linux/l inux-kernel/Year-1999/1999-03/0942.html+Under+Linux+2.1.130,+fchmod+andhl=e nct=clnkcd=1 http://linux.derkeiler.com/Mailing-Lists/Kernel/2004-11/0188.html Confirmed this with a small program that attempts to fchmod a socket descriptor.. Nothing works.. Should we disregard the warning from flawfinder? Any ideas for a workaround? I've tried to undestand the problem and potential solutions but failed. I guess this needs more investigation or a more clever mind ;-) So, perhaps best to postpone this issue and first resolve the others. Maybe some bright idea comes to one of us. Best Jan ___ Openvas-devel mailing list [EMAIL PROTECTED] http://lists.wald.intevation.org/mailman/listinfo/openvas-devel ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] [Openvas-devel] Voting on Change Requests #1 - #4
Hi, I'd like to call for voting on the change requests #1 - #4, listed here: http://www.openvas.org/openvas-crs.html Naturally, I am in favour of all 4 of them :-) However, please read and judge whether it is a good or bad idea or wether it needs further refinement. I am not totally sure about the proper voting scheme. Tim, Robert: Does SPI require something special or do we just decide upon a simple voting? Best Jan ___ Openvas-devel mailing list [EMAIL PROTECTED] http://lists.wald.intevation.org/mailman/listinfo/openvas-devel ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] [Openvas-devel] Voting on Change Requests #1 - #4
On Mittwoch, 20. Februar 2008, Thomas Reinke wrote: #2 Insufficient knowledge of use scenarios to form a vote opinion, but comments as follows: NSR is, AFAIK, not broken w.r.t semi-colons. The actual NTP protocol has the same issue of being line oriented - the server replaces all semi-colons with newlines. NSR just carries this issue through to its code. Thus removing NSR does not solve the semi-colon issue, that can only be done by adding support to both client and server to support escaped semi-colons. As such, using the semi-colon problem as a justification to remove NSR doesn't make sense. Indeed it is only a first step to remove the design flaw. Fixing the protocol bug should be one of the next CRs (which will have much more impact on compatibility. I've extended the CR accordingly. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-devel mailing list [EMAIL PROTECTED] http://lists.wald.intevation.org/mailman/listinfo/openvas-devel ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] openvas-libraries: 1.0.1 or 1.1-something?
Hi, there have been numerous cleanups done on openvas-libraries since 1.0.0 release. Several things have been removed, no real features been added. I wonder whether we should release the changes as 1.0.1 or begin a new release series 1.1 (perhaps starting with 1.0-beta1 or alike). As we have currently a small user base and can react to reported problems quite quickly, I tend to 1.0.1 even though usually such revisions should be restricted to bug fixing only. However, I think there are less benefits in maintaining two separate branches at this stage of OpenVAS development/use. As soon as we learn that there are users out there that rely on a strict handling of bug-fix-only releases we probably should keep a large pace to push things forward. Any opinions? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Error building manuals
Hello Edu, On Freitag, 21. März 2008, Edu Castellarnau wrote: I have problems building the manuals for openvas 0.9.0. Here I attach the error I obtain: [EMAIL PROTECTED]:~/openVAS/openvas-manual-0.9.0$ make lyx -e pdf users-manual.lyx lyx -e pdf users-manual.lyx make: *** [users-manual.pdf] Error 1 this error message is a bit thin. Can your try lyx -e pdf users-manual.lyx directly in your shell? Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] AMD64 -libnasl does not build
On Wednesday 26 March 2008 23:27, Vazquez, Ed wrote: Thank you! Everything built, installed, signatures updated and the server daemon starts! :-) I'm sure I'll have a few questions tomorrow since my first test of the client portscans well, but doesn't run any of the available tests (and doesn't throw any errors). I suspect I've missed a checkbox or flag somewhere, so if anyone has suggestions, they will get tried in the morning. You might want to look into the .dump and .messages file in /var/log/openvas Perhaps this gives already some hints. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] planning release openvas-libraries 1.0.1
Hi, quite a lot of code cleanups happened for openvas-libraries. No real new functionality has been added. In fact, some have been removed as agreed. However, some of the cleanups are about the include files and one consquence is that build might fail on some platforms, especially other than GNU/Linux. As discussed earlier on this list is that this should not stop us in making this the 1.0.1 release nonetheless. If there is no objection I'd like to do the release end of this week. After all it is an intermediate step as there are some cleanups left to do. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OpenVAS Gentoo AMD64 not working properly.
Hello Ed, On Thursday 27 March 2008 18:54, Vazquez, Ed wrote: OK, looked in the logs and what I'm seeing is are entries like this: [Thu Mar 27 10:09:31 2008][12463] no404.nasl depends on httpver.nasl which could not be found that is OK. Many NASL scripts of Nessus were not Free Software and thus the OpenVAS project removed but kept other scripts that depend on them. In turn, this seems to cause: [Thu Mar 27 10:09:31 2008][12463] user evazquez starts a new scan. Target(s) : 172.16.8.241, with max_hosts = 20 and max_checks = 4 [Thu Mar 27 10:09:31 2008][12463] user evazquez : testing 172.16.8.241 (172.16.8.241) [12464] [Thu Mar 27 10:09:39 2008][12464] SIGSEGV occured ! [Thu Mar 27 10:09:39 2008][12463] user evazquez : test complete on each test cycle. hm, I can not repdoduce this on my Debian Sarge box. There seem to be about 113 depends on files that the log file claims are missing, even though they are actually present. E.g.: [Thu Mar 27 11:48:17 2008][12452] connection from 172.16.16.56 [Thu Mar 27 11:48:18 2008][12854] Client requested protocol version 12. [Thu Mar 27 11:48:18 2008][12854] successful login of evazquez from 172.16.16.56 [Thu Mar 27 11:48:21 2008][12854] no404.nasl depends on httpver.nasl which could not be found [Thu Mar 27 11:48:21 2008][12854] no404.nasl depends on webmirror.nasl which could not be found ... [Thu Mar 27 11:48:21 2008][12854] invision_power_board_calendar_sql_injection.nasl depends on invision_power_board_detect.nasl which could not be found [Thu Mar 27 11:48:21 2008][12854] user evazquez starts a new scan. Target(s) : 172.16.8.241, with max_hosts = 20 and max_checks = 4 [Thu Mar 27 11:48:21 2008][12854] user evazquez : testing 172.16.8.241 (172.16.8.241) [12855] [Thu Mar 27 11:48:29 2008][12855] SIGSEGV occured ! [Thu Mar 27 11:48:29 2008][12854] user evazquez : test complete except for the SIGSEGV I have the same. Very odd - any ideas on cause? More data I can provide for troubleshooting? I'd like to know more about the SIGSEGV. You don't have any lines like [Thu Mar 27 22:36:18 2008][16493] user jan : launching find_service.nes against localhost [16513] ? (I.e. does SIGSEGV occur for any single test?) Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Use glib ?
Hello, I'd like to discuss a long-standing open question about about using external, widely-used libraries in favour of self-maintained copies or self-brewn implementations. I am aware that there is no simple answer. Among others, the discussion was avout the glib librarary of the GNOME project. It offers several utility functions e.g. for hashed data storages or command line parsing to name only two of them. The code base of OpenVAS could be reduced by using the functions of glib. Of course, adding further libraries adds potential security problems. On the other hand, code review is shared with a much larger developer/user group for widely used external libraries. I'd like to hear some opinions about this question. What strategy should OpenVAS follow? Are there already noteworthy articles about this question (as it is absolutely not OpenVAS-specific)? Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Use glib ?
On Tuesday 01 April 2008 21:28, Rodney Thayer wrote: Jan-Oliver Wagner wrote: I'd like to hear some opinions about this question. What strategy should OpenVAS follow? when I've found myself complaining about some open source project's use (or mis-use, or unfortunately non-portable use) of things like glib, I think these are the issues one might consider: -- what distro's should it run on easily? -- should it run easily on live cd's? -- how much work do we want it to end up being to do apt-cache search openvas In other words, I would like to see it be at least a tolerable process to run on: - fedora 8 - ubuntu 7 agreed. - debian 4 thats my reference system. - backtrack/wolvix/etc. live cd's I do not know these in detail. Any real problems expected? - slackware 8 I have no epxerience with slackware. Well, I think I installed it in 1993 or so ;-) Note: I don't claim my list is anything but a sample data point ;-) I would adde SUSE and Redhat to the list. I know there are some Gentoo guys around. Are there already noteworthy articles about this question (as it is absolutely not OpenVAS-specific)? I agree it is not OpenVAS specific. However, what effort does the team want to put into making it easy to deploy OpenVAS is a question the group might want to consider. AFAIK, glib is quite well supported on various platforms and in fact intends to balance out incompatibilities between different libc implementations, ie. regarding str methods or memory management. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] planning release of openvas-client 1.0.3 - translators: your turn!
Hi, I'd like to release version 1.0.3 of OpenVAS-Client. Some Change Requests have been considered, some bugs fixed. So I think it is time to go for a release. Translations: If any translators would like to update the translation or add a further one, please speak up ASAP and I will delay release until you are finished. Else I plan to release end of this week. Anything else comes to your mind that need change before release? Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Use glib ?
On Thursday 03 April 2008 03:09, Tim Brown wrote: Quick answer. In my opinion it makes sense. to start with integrating glib it might make sense to migrate the GNU getopt stuff (currently maintained as a copy in openvas-libraries) to the methods offered by glib (http://library.gnome.org/devel/glib/2.8/glib-Commandline-option-parser.html). That'll be some (not too much) work on openvas-server first (replace code for command line handling, adapt configure.in), then on openvas-libnasl (little) and then the getopt copies could be removed from openvas-libraries. Good enough to work out a change request? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Security language is english !?
Hi, I once again stumbled across problems caused by the mutlilingual features of OpenVAS server (as inherited by Nessus). I wonder whether it makes sense at all to have the NASL scripts allow for other languages than english. IMHO this adds only unnecessary source codes, user confusion, extra-time writing NASL scripts and potentials for inconsistencies. Not to forget the maintenance problem! AFAIU, the security language is english. All relevant sources of security alerts are in english and need to be understood anyway by the auditors. (Yes, there are some non-english sources of security alerts, but in fact these could even be better implemented as separate base NASL scripts and form some sort of a profile of its own). So, I'd be interested in your opinion/thoughts on whether we should remove any of the Server-side localization support for NASL scripts ? Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Use glib ?
On Dienstag, 8. April 2008, Jan-Oliver Wagner wrote: On Thursday 03 April 2008 03:09, Tim Brown wrote: Quick answer. In my opinion it makes sense. to start with integrating glib it might make sense to migrate the GNU getopt stuff (currently maintained as a copy in openvas-libraries) to the methods offered by glib (http://library.gnome.org/devel/glib/2.8/glib-Commandline-option-parser.html). That'll be some (not too much) work on openvas-server first (replace code for command line handling, adapt configure.in), then on openvas-libnasl (little) and then the getopt copies could be removed from openvas-libraries. Good enough to work out a change request? I now crafted one: http://www.openvas.org/openvas-cr-9.html Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Tools that are managed by OpenVAS
On Wednesday 02 April 2008 15:27, Jan-Oliver Wagner wrote: I've crafted a small overview on tools integrated into OpenVAS: http://www.openvas.org/integrated-tools.html The page is not linked yet. I think it is quite important to talk about the tools that can be managed via OpenVAS as OpenVAS can very well play a role of an integrator. I've updated and linked the page now. Next, I'd like to get Nikto to work. Anyone has experience with Nikto? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Security language is english !?
On Tuesday 06 May 2008 16:18, Javier Fernandez-Sanguino wrote: 2008/5/6 Jan-Oliver Wagner [EMAIL PROTECTED]: Opinions? Even though client and server releases are different I don't suggest bundling the PO files with the openvasd release and have the server handle gettext translations. For several reasons: - the NASL code is actually in the openvas-plugins package, not in the server yes, I indeed hat the this module in mind, not openvas-server. - it adds complexity to the server for a task unrelated to vulnerability scanning yes, my intention is to get the code base of openvasd further reduced. - you (probably?) have to modify the Nessus client-server protocol so that the client can provide the server its language settings (the client knows the settings based on the user's environment). I thought that this could be neglected for a first step. The server is simply configured with a default language and will deliver corresponding strings if available. It is my understanding that most users of OpenVAS-Client have also installed and configured OpenVAS Server. I suggest taking this approach instead: - adding PO support for NASL scripts through a wrapper that takes the message text calls and generates POT files for them in the openvasl-plugins's po/ (or intln/) directory that translators can work with. yes, this is a working option. However, I thought I would be nice to add a _() integrated function to NASL and call gettext from it with the textdomain set to whatever is configured. Thus, openvasd would automatically deliver the translated strings to the client (or to log files) without more complexity than 5-10 lines of code calling gettext in a proper way. - Separately, have the PO files be distributed by a separate openvas-plugins-XX package (with XX the language code). That package installs the proper /usr/share/openvas just like you provide openvas-plugins packages that installs the appropiate MO files for a given gettext domain (say 'openvas-plugins') at its proper location under /usr/share/locale/XX/LC_MESSAGES/OpenVAS-plugins.mo (with XX the language code) or it comes with the feed. And we need some concept to have trusted (signed) translations like we currently have for the NASL scripts. - Since the gettext domain would be different (different MO files) have the client change its gettext domain when parsing NASL input, so that it gets translated (you can see a way to do this in Squirrel's Mail plugins at http://www.squirrelmail.org/wiki/HelpTranslating, basically the OpenvAS client would have to swith to the 'OpenVAS-plugins' gettext domain when generating its output associated with the NASL info and then switch back to its own gettext domain after it. I fear that it will get a update/maintenance problem when trying to have the po files at the client. Shouldn't the translations be where the original text is? It might sound complicated, but to me it looks easier to do than the other approach (server side) which involves introducing gettext in the server and change the Nessus protocol so that client can provide it's language environment to the server. hm, without having really tried it, I think it should be only few lines of code on the server side to apply a specific text domain. Maybe I should simply try to see whether I can proove myself wrong ;-) Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Security language is english !?
On Tuesday 06 May 2008 18:05, Thomas Reinke wrote: So, I'd be interested in your opinion/thoughts on whether we should remove any of the Server-side localization support for NASL scripts ? While I've been a fan of localization support (given our environment, we often deal with more casual, less security oriented individuals who may not have a great working knowledge of English), I've NOT been a fan of doing it in the server itself. In my mind it doesn't make sense for the simple reason that if you take days and weeks to run a set of scans on a large network, it seems wrong that you are stuck with whatever language you used at the time you ran the scan. It would seem to me that if you change the language at the client level, the reporting language ought to change as well. Based on that, the current server-side localization code that was previously done is in my mind is pretty much useless (but hey, that's just my 0.02 worth). seems we all agree the current concept is broken by design :-) You bring up an interesting aspect: Should a scan result be translatable into more than one language? Does the gettext / po implemenations allow for easy back-to-english? If so, I could imagine solutions to allow a translation to various languages inside the OpenVAS-Client. But I have to move my mind a bit more about this... Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OCERT
On Tuesday 13 May 2008 08:09, Tim Brown wrote: Do we wish to apply to join OCERT (www.ocert.org)? after a quick glance I do not see any reason against this. What would you expect from a membership? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Question about plugin 11808
Hello, (I am CCing this to openvas-plugins, the mailing list for plugin issues) On Mittwoch, 14. Mai 2008, Vincenti Francesco wrote: I am writing you to understand the correct behaviour I should have in front of the results of OpenVAS scansion, according the following problem. Every scansion of my company's PC I have done until now shows a security hole in each machine which is detected by plugin 11808, about Microsoft RPC Interface Buffer Overrun, and is caused by epmap on port 135. The plugin suggests to update the operating system to a kind of patch but when I try to install it the answer is that the operating system version in more recent than the patch itself: obviously, the problem is known since 2003 and Windows has reached the SP 2 now! Is this result the consequence of some missed update of the plugin 11808 or is the pluging itself which is not update to the SP 2, and how can I solve this false positive? Thank you very much for your attention. I am not a plugin developer nor would I call myself a Windows guru. However, the first observation when looking into the NASL code (msrpc_dcom.nasl) is that a dependency is not fullfilled (msrpc_dcom2.nasl). This script is missing which is probably because it is kept proprietary by Tenable (OpenVAS project obviolusly had to remove any proprietary elelement). But this does not necessarily cause the problem. I can try to reproduce the problem, but I'd need to know how to start the service at port 135. My default XPSP2 has nothing running there. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Nasty variable scoping booby-trap
Thomas, On Thursday 15 May 2008 23:30, Thomas Reinke wrote: Some thoughts we've had: 1) Change the nasl compiler to force all variables to be explictly declared; 2) Default undeclared variables to a local scope; 3) Have a lint style checker that examined functions and warned of global variable usage, which could then be vetted as acceptable (or not) Any thoughts? It would be great if you could prepare a simple NASL script that demonstrates the danger of the current NASL implementation. This script could also then serve for debugging and proof it works better after a change. Given there really is the weakness you mention (I didn't track down your hints yet), option 3 seems not really an option to me. The first option appears as the best solution to me. This should reduce programming errors. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Nasty variable scoping booby-trap
On Thursday 15 May 2008 23:53, Michel Arboi wrote: On Thu, May 15, 2008 at 11:30 PM, Thomas Reinke [EMAIL PROTECTED] wrote: Variables in a function in NASL do not _need_ to be declared. Isn't it magical? I guess it is more a conceptual element of the NASL programming language. Its not a new concept (many other programming languages behave similar), so I wouldn't exactly call it magic. If the variable is not declared at all, it will be created, automatically, with a global scope. Or maybe not? Who knows? Are you saying that Thomas is wrong? 1) Change the nasl compiler to force all variables to be explictly declared; Which is, as far as I can remember, incredibly easy. I guess so, too. 2) Default undeclared variables to a local scope; That looks like a good idea. I am not sure that automagic is good for this type of programming. Better to make the developer aware of anything that he believed to be implicitly correct. Maybe I already had it. Are you saying you even implemented this already? Why are you in doubt? 3) Have a lint style checker that examined functions and warned of global variable usage, which could then be vetted as acceptable (or not) Which is probably not very complicated. I guess it is a simple as option one, in fact it is more or less identical ;-) Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] svn under BackTrack3 beta
On Sunday 18 May 2008 22:46, echo6 wrote: Apologies if this is not the correct place to ask! it is the corect place :-) I'm trying to install the svn openvas on the USB version of BT3 beta. I am not familiar with BT3. What is the base of it? openvas-libraries built and installed without any problems. openvas-nasl I experienced missing files in /usr/local/lib ln -sf libopenvas.so.1 libopenvas.so ln -sf libopenvas_hg.so.1 libopenvas_hg.so I was able to build openvas-nasl after creating the symlinks. in fact this shouldn't really happen. Can you post the commands you applied to configure, build and install openvas-libraries? On trying openvas-server make failed r/local/bin/openvas-libnasl-config --libs` (seems you mean openvas-libnasl, not openvas-server) `/usr/local/bin/libopenvas-config --libs`-ldl /usr/local/lib/libopenvasnasl.a(nasl_signature.o): In function `print_gpgme_error': Probably you have the gpgme library not available for the compilation process. In fact, during configure, you should have seen a warning about this. Try this to see whether the required develpment module is installed: $ gpgme-config --version Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Voting on Change Requests #6 - #9
Hi, On Donnerstag, 15. Mai 2008, Robert Berkowitz wrote: On Tue, May 6, 2008 at 3:17 AM, Jan-Oliver Wagner [EMAIL PROTECTED] wrote: I'd like to call for voting on the change requests #6 - #9 as listed here: http://www.openvas.org/openvas-crs.html #6: Remove support of old XML report format This looks good to me. Since we can export in a new and better supported XML format I see no reason not to move forward with this. #7: Extend report widget with optional info on NVT name/oid in OpenVAS-Client The additional info would be helpful. I support this. #8: Introduce NVT family Credentials We should implement this. there seems to be general agreement with these changes. However, I'd appreciate some more explicit votes on this. Or may I go ahead with +2 ? #9: Make OpenVAS use (and depend on) glib I think some more exploratory work should be done on this before a full implementation. What do you mean with full implementation? First of all, we need to find out whether to link glib at all. If yes, there are some simple things to use (such as the command line parsing) and some complex stuff (object storage). We should discuss any subsequent use of glib API with a Change Request of its own. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OpenVAS and Cygwin
On Thursday 22 May 2008 02:26, Tim Brown wrote: On Wednesday 21 May 2008 13:54:19 John Chajecki wrote: 1. The OpenVAS client seems to clash with with Cygwin and refuses to launch when Cygwin is active. We have installed OpenVAS client 1.0.3 on Windows. Not sure about that, I would wait and see what other people say on the subject. Jan is often a good bet since he builds the Windows client. I've heard about this type of problem once, quite a long time ago. IIRC, the Cygwin versions clashed somehow. Is this a general problem of two cygwin applications on the same machine or more a specfic problem of the OpenVAS build method? 2. We downloaded the manua but we can't read it. It seems to be written with something called LyX. We have downloaded LyX and we now have a pretty LyX associated with users-manual.lyx but when we click on it nothing appeared to happen. About 5 minutes later however, a web browser like window suddenly opened up on the desktop with the manual displayed. I realise this may be a LyX issue, but why can't the manuals be written in a common file format like html or PDF rather than some obscure format that no one has heard of (yes - I have asked around!)? In fact the PDF manual should open up if you click the respective menu item in the OpenVAS-Client GUI. The markup format we use for the manual is LaTeX. This is a pretty common, open format which is heavily within the science and technology community. Having said that, it's main use here is to allow the generation of HTML and PDFs from a single source. Maybe it would be worth updating the relevant packages to generate one of those formats as part of the distribution process. I think it's a fair point that end users shouldn't have to rely on having LyX (or another LaTeX editor) installed to use OpenVAS. Thoughts anyone? Well, currently LyX is only needed for modifying the manual. Just reading, a PDF viewer is sufficient. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Nasty variable scoping booby-trap
On Monday 19 May 2008 00:50, Lukas Grunwald wrote: Jan-Oliver Wagner wrote: 1) Change the nasl compiler to force all variables to be explictly declared; 2) Default undeclared variables to a local scope; 3) Have a lint style checker that examined functions and warned of global variable usage, which could then be vetted as acceptable (or not) Any thoughts? It would be great if you could prepare a simple NASL script that demonstrates the danger of the current NASL implementation. This script could also then serve for debugging and proof it works better after a change. Given there really is the weakness you mention (I didn't track down your hints yet), option 3 seems not really an option to me. The first option appears as the best solution to me. This should reduce programming errors. For option 1 and 2, this would break almost all NASL scripts, and i don`t go with it, as long no one voluntarily will fix them all .-) But option 3 is the only one, if you want to be still compatible with some proprietor security products .-) Indeed option 1 would mean quite some work. Nonetheless, IMHO it is the option in the long run. Perhaps we can control efford with a clever revisioning of the the NASL Level. Or actually it will be OASL in the near future to prevent compatibility confusion ;-) Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Voting on Change Requests #6 - #9
On Monday 19 May 2008 10:12, Jan-Oliver Wagner wrote: On Donnerstag, 15. Mai 2008, Robert Berkowitz wrote: On Tue, May 6, 2008 at 3:17 AM, Jan-Oliver Wagner [EMAIL PROTECTED] wrote: I'd like to call for voting on the change requests #6 - #9 as listed here: http://www.openvas.org/openvas-crs.html #6: Remove support of old XML report format This looks good to me. Since we can export in a new and better supported XML format I see no reason not to move forward with this. #7: Extend report widget with optional info on NVT name/oid in OpenVAS-Client The additional info would be helpful. I support this. #8: Introduce NVT family Credentials We should implement this. there seems to be general agreement with these changes. However, I'd appreciate some more explicit votes on this. Or may I go ahead with +2 ? I updated the website now accordingly for CRs #6-8. #9: Make OpenVAS use (and depend on) glib I think some more exploratory work should be done on this before a full implementation. What do you mean with full implementation? First of all, we need to find out whether to link glib at all. If yes, there are some simple things to use (such as the command line parsing) and some complex stuff (object storage). We should discuss any subsequent use of glib API with a Change Request of its own. I left this one open as there seems more need for discussion. Please add your thoughts. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OpenVAS and Cygwin
On Montag, 2. Juni 2008, John Chajecki wrote: I have found that OpenVAS uses the Cygwin1.dll. Its in C:\Program Files\OpenVAS-Client\bin but its version 0.132 as opposed to verson 0.156 installed in C:\cygwin\bin. Replacing the file in C:\Program Files\OpenVAS-Client\bin with the one in C:\cygwin\bin seems to fix the problem. Fine, so this solves the probem. Is there any way of making OpenVAS use the already installed Cygwin? The installer needs to be made more clever. However, I'd like to switch from InnoSetup to NSIS eventually, so I hesitate to put work into InnoSetup. Maybe I find the time to switch to NSIS and add the cygwin test for the next release. Ideally, I'd like to have a native cross compilation environment and get rid of cygwin. Fully automized including the packaging, i.e. type make OpenVAS-Client.exe on a Linux mashine :-). But that'll take 2 or 3 extra days which I can not afforf ATM. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Prototype for OID-to-NASL mapping web interface online
Hi, we've put a OID to NASL script mapping online as discussed for Change Request #1. It is simply so far. A URL like this: http://www.openvas.org/?oid=1.3.6.1.4.1.25623.1.0.61039 resolves to the SVN trunk version of the respective NVT. After all, the links applied in the PDF reports (since OpenVAS-Client release 1.0.3) will now lead to a helpful information. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] can not login to openvas server
On Monday 02 June 2008 16:19, christian gattermair wrote: i try the today svn versions. when i try to login with the client and only user:pw (without ssl) i get: on the server [20295] gnutls_handshake: A record packet with illegal version was received. and on the client remote host is not using the good version of the nessus communication protocol (1.2) or is tcpwrapped that is absolutely OK. OpenVAS has no option to run without SSL. The SSL switch in the client is only available for compaibility with Nessus which allow for unencrypted use. Perhaps we should simply remove this option. Unencrypted connection has no real use-case IMHO. Other opinions? with ssl enabled on the client i get: login failed Should not happen. user and pass are 100% correct. That would have been my first guess :-) thanks for any hint! on which operating system (and which version, any other special things) did you try this? What does the log files of openvasd say? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Voting on Change Requests #9 - #12
Hello OpenVAS team users, I'd like to call for voting on the change requests #9 - #12 as listed here: http://www.openvas.org/openvas-crs.html #9: Make OpenVAS use (and depend on) glib #10: Remove support for non-SSL connections in OpenVAS-Client #11: Make OpenVAS-Client use (and depend on) glib #12: Replace NTP with OTP Naturally, I am in favour of all 4 of them :-) However, please read and judge whether it is a good or bad idea or wether it needs further refinement. Note that we factored out the client-side from #9 to #12. All the best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Voting on Change Requests #9 - #12
On Freitag, 13. Juni 2008, Bernhard Herzog wrote: On 12.06.2008, Jan-Oliver Wagner wrote: I'd like to call for voting on the change requests #9 - #12 as listed here: http://www.openvas.org/openvas-crs.html #9: Make OpenVAS use (and depend on) glib #10: Remove support for non-SSL connections in OpenVAS-Client #11: Make OpenVAS-Client use (and depend on) glib #12: Replace NTP with OTP I'm in favor of all of them. I now declared them as accepted with vote +2. Just one note about the glib CRs: In many cases, the arglists in OpenVAS can be replaced by simple C structs instead of glib data structures. indeed. from the glib I in fact hop for hashing and other standard routines. Usually you need to define some comparison functions and then can use arbitrary C structs as data objects. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] idea: Contest 'Best advances for OpenVAS Network Vulnerability Tests'
Hi, how about arranging a Contest 'Best advances for OpenVAS Network Vulnerability Tests' in order to make OpenVAS more known, get people to look on how to implement further NVTs or in other ways implement ideas to improve OpenVAS? What I am having in mind is something like this (just quickly drafted and entirely open for suggestions how to change or extend or entirely rewrite it): Contest: Best advances for OpenVAS Network Vulnerability Tests The OpenVAS Team (Open Vulnerbility Assessment System, [1]) calls for submission of patches, scripts, converters or anything else that significantly improves the OpenVAS framework for extendedOpen Source Network Vulnerability Testing. Basically your are free to choose the actual area of improvements, examples are: * New .nasl scripts for recent security alerts * NASL libraries for simplifying development of new test scripts * Converter routines that (semi-)automatically create NASL scripts from formal security alerts. * Performance improvements for the current tests. There are arbitrary other ways to extend/improve the OpenVAS test routines. The only hard requirement is that your solution is published as Free Software under GNU GPLv2+. Current winner prices are (the amount might increase because additional sponsors are welcome to add to the price as along as the contest is open): 1: 500 Euro 2: 300 Euro 3: 100 Euro The sponsors and OpenVAS steering team will jointly choose the winners inspired by these criteria: * number of CVEs/BIDs covered * relevance of the covered alerts * sustainable future benefit (e.g. in the case of supporting APIs) * how well the development was coordinated via the public OpenVAS mailing lists (teams may win as well) * code quality (documentation, design, style) Contest sponsors are (sorted by sponsored amount): * Intevation GmbH, www.intevation.net Time table: 2008-07-01: Contest started 2008-09-30: Contest closes 2007-10-15: Winners nominated How to participate: * express you wish to participate on the OpenVAS mailing list and what you plan to work on * summarize you contribution before contests closes [1] www.openvas.org Maybe we can get some press on board to support such a contest? What do you think? Stupid idea? Unrealisitic to find enough people? Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] idea: Contest 'Best advances for OpenVAS Network Vulnerability Tests'
On Donnerstag, 26. Juni 2008, Jan-Oliver Wagner wrote: how about arranging a Contest 'Best advances for OpenVAS Network Vulnerability Tests' in order to make OpenVAS more known, get people to look on how to implement further NVTs or in other ways implement ideas to improve OpenVAS? What I am having in mind is something like this (just quickly drafted and entirely open for suggestions how to change or extend or entirely rewrite it): I received message from DN-Systems that they support the idea and will add some Euros to the prize :-) More comments urgently welcome. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] openvas on Ubuntu 8.04
Am Sonntag, 13. Juli 2008 17:04:22 schrieb echo6: I'm using subversion to build from source, 1.0.2. Here are some issues I've noticed on Ubuntu. /usr/local/lib needs to be added to /etc/ld.so.conf otherwise openvas-mkcert complains about missing libraries. I've never experienced such a problem so far. Not sure why it installs to /usr/local/lib. Launching openvasd and I get the following errors Loading the plugins... 2244 (out of 5343)smb_nt.inc: No such file or directory Loading the plugins... 2448 (out of 5343)url_func.inc: No such file or directory Loading the plugins... 2958 (out of 5343)slad.inc: No such file or directory that is OK. the first two are proprietary NASL scripts which we had to remove after the fork from Nessus. slad.inc is a file that is created when SLAD is installed. I've created a user, but I am unable to login, trying to remove a user and openvas-rmuser complains user does not exist! can you look into /var/lib/openvas/users/ ? There should be a directory with the same name as the user. Best Jan ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] idea: Contest 'Best advances for OpenVAS Network Vulnerability Tests'
Am Donnerstag, 17. Juli 2008 07:31:32 schrieb Tim Brown: On Thursday 26 June 2008 14:51:08 Jan-Oliver Wagner wrote: how about arranging a Contest 'Best advances for OpenVAS Network Vulnerability Tests' in order to make OpenVAS more known, get people to look on how to implement further NVTs or in other ways implement ideas to improve OpenVAS? I'm game, I'll throw in the 100 euro prize personally. Great! I suspect we need to get details up on the web site and announce it on the various security forums. I'd be glad if anyone can take care of this as I am really short of time next 10 days. What needs to be done is shift dates, improve text, update amounts and contributors and then get the web page online as well as prominently linked from the homepage. Then send it to the security forums or whereever it fits. Are we considering your email a formal announcement of intent? You mean the Euro amount for such a prize? Yes, sure! I now count a total of 1000 Euro already (Intevation/DN-Systems/T.Brown) :-) Best Jan ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] openvas-compendium to replace openvas-manual?
Am Donnerstag, 17. Juli 2008 01:43:06 schrieb Tim Brown: On Tuesday 08 July 2008 11:17:09 Jan-Oliver Wagner wrote: * plain latex(+hyperlatex) instead of lyx (make compilation easier for distributions AFAIU) * Get rid of any authorship of the origin Nessus team (which means to rewrite various sections, which is good anyway since most of the stuff is quite old). The only part transferred to the compendium is the part I wrote myself - the GUI description. Once the OpenVAS team identified an independend organization to hold the copyright, the compendium could this way transferred entirely. I would go with SPI if we want to centralise copyright in this manner. I did already a couple of months ago. The result was that despite the fact that they have a corresponding note on their pages they never received any copyrights so far. And they are neither prepared for this nor really wishing to do it (they did not negate though). My conclusion than was that it might be better to head for FLA some day and either transfer to FSFE or another trusted organization. I know they prefer not to hold copyright, but they will do so if asked and we already have an existing relationship of sorts with them. Incidentally, I notice that the source for the compendium is GPLv2(only) however it generates CC-SA licensed output. I'm not sure that this is the best way to go. hm, this should be cleaned of course. Since the compendium is actually documentation I'd prefer CCSA over the GNU licenses as it is better understood (remember the Debian discussion about FDL). In case the old manual should indeed be superceeded with the compendium, how to do that? * Keep module name openvas-manual or rename it to openvas-compendium? * Move compendium files to this module and keep the other files for a while? * Or delete them immediately? * Which version to apply? (-manual has 0.9.0, -compendium has 0.1.0). My personal preference is to rename to openvas-compendium, delete all old stuff and apply version 0.1.0. I second that. :-) If no non-positive comments get in, we will do the change end of this month or early in August. For the record, content so far looks excellent. I've added a sub section on script_oid to the NASL scripting chapter as it's important to get that documented. thanks. Yes, to fulfil the promise of a compendium there need to be many additional stuff in there. However, we must have a start. ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OpenVAS donations?
On Dienstag, 29. Juli 2008, Michael Schultheiss wrote: Tim Brown wrote: Thanks for your response on OFTC I appreciate it, but could you clarify the position as to what SPI require from OpenVAS in order to start taking donations on our behalf? I'll need to check with our accountants about the specifics of running a contest like this. There are specific rules and requirements due to SPI's 501(c)(3) status. I'll let you know as soon as I hear back from them. if this causes any trouble, Intevation could organize the process. As for general donations, those can be setup at any time. that'll be good anyway. I guess, SPI prepared some piece of HTML that could be integrated into homepages so that the donation options are directly linked? Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] idea: Contest 'Best advances for OpenVASNetwork Vulnerability Tests'
On Montag, 28. Juli 2008, Jonas Andradas Arias wrote: If I am not mistaken (which I perfectly might), doesn't OpenVAS include a utility to compile C-plugins as NASL files? Or does it only compile NASL scripts... I am a bit lost on that yet. no, there is no converter for C to NASL. There once was a factory for C plugins. In fact some header files. But that was all of no help. The way to go is writing NASL and, where helpful, extend NASL or its built-in functions. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] idea: Contest 'Best advances forOpenVASNetwork Vulnerability Tests'
Hello Jonas, On Mittwoch, 30. Juli 2008, Jonas Andradas Arias wrote: no, there is no converter for C to NASL. There once was a factory for C plugins. In fact some header files. But that was all of no help. The way to go is writing NASL and, where helpful, extend NASL or its built-in functions. could you recommend a NASL tutorial/manual? The best I have found are these: http://searchsecurity.techtarget.com.au/articles/25155-Using-Nessus-Attack-Scripting-Language-NASL-to-find-application-vulnerabilities and http://www.nessus.org/doc/nasl2_reference.pdf Is there another NASL reference or manual which is more up to date or better? The OpenVAS team works on a OpenVAS Compendium where a NASL developer guide should be part of. Currently you find openvas-compendium under doc/ in SVN, but it will soon emerge as a package of its own. The NASL devel part is in the works and should see significant progress in August. Apart from this the nasl2_reference is of some help. The best help usually are the other NASL scripts which you could take as examples. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] can not login to openvas server
Hello Pascal, On Wednesday 23 July 2008 12:21, Pascal Bovet [MikeHorn] wrote: I've the same problem as described on thread: http://www.mail-archive.com/openvas-discuss@wald.intevation.org/msg00397.ht ml i created a user with nessus, tried to login (with running nessusd) and everything worked. i stoped nessusd, copied the user to openvas, started openvasd tried again, doesn't work.. note that the problem described under the URL above was about unencrypted access. In contrast to Nessus OpenVAS does not allow unencrypted access. nessuslog says: [Wed Jul 23 11:29:06 2008][15962] connection from 127.0.0.1 [Wed Jul 23 11:29:06 2008][17210] Client requested protocol version 12. [Wed Jul 23 11:29:06 2008][17210] successful login of test from 127.0.0.1 [Wed Jul 23 11:29:10 2008][17210] Communication closed by client opvaslog says: [Wed Jul 23 11:30:40 2008][17857] connection from 127.0.0.1 [Wed Jul 23 11:30:40 2008][18494] Client requested protocol version 12. [Wed Jul 23 11:30:40 2008][18494] bad login attempt from 127.0.0.1 hm, there should be some other log info for unencryped access. $ cat /var/lib/nessus/users/test/auth/hash d57282a6ca65d6caeb48fad352821c89 a380ec87f21022701f95780e592f5f1b $ cat /var/lib/openvas/users/test/auth/hash d57282a6ca65d6caeb48fad352821c89 a380ec87f21022701f95780e592f5f1b same result, when i create the user with openvas-adduser.. i can't login into openvas server, but login to nessus server with same login works without problem.. Can you retry with a simple user (password) and with encrypted connection? You should use the newest OpenVAS-Client. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] idea: Contest 'Best advances for OpenVAS Network Vulnerability Tests'
On Donnerstag, 26. Juni 2008, Jan-Oliver Wagner wrote: how about arranging a Contest 'Best advances for OpenVAS Network Vulnerability Tests' in order to make OpenVAS more known, get people to look on how to implement further NVTs or in other ways implement ideas to improve OpenVAS? What I am having in mind is something like this (just quickly drafted and entirely open for suggestions how to change or extend or entirely rewrite it): I'd like to not delay this contest any further as we received quite positive feedback. Surley it would be good to have support by SPI for managing it, but Intevation could take over responsibilities until things are clearified. Getting the contest to start is more important than to get the details straightened, IMHO. Please feel free to fix or improve the actual announcement of the contest (we have already two additional sponsorts :-) : Contest: Best advances for OpenVAS Network Vulnerability Tests The OpenVAS Team (Open Vulnerability Assessment System, [1]) calls for submission of patches, scripts, converters or anything else that significantly improves the OpenVAS framework for extended Open Source Network Vulnerability Testing. Basically your are free to choose the actual area of improvements, examples are: * New .nasl scripts for recent security alerts * NASL libraries for simplifying development of new test scripts * Converter routines that (semi-)automatically create NASL scripts from formal security alerts. * Performance improvements for the current tests. There are arbitrary other ways to extend/improve the OpenVAS test routines. The only hard requirement is that your solution is published as Free Software under GNU GPLv2+. Current winner prices are (the amount might increase because additional sponsors are welcome to add to the price as along as the contest is open): 1: 500 Euro 2: 300 Euro 3: 200 Euro The sponsors and OpenVAS steering team will jointly choose the winners inspired by these criteria: * number of CVEs/BIDs covered * relevance of the covered alerts * sustainable future benefit (e.g. in the case of supporting APIs) * how well the development was coordinated via the public OpenVAS mailing lists (teams may win as well) * code quality (documentation, design, style) Contest sponsors are (sorted by sponsored amount): * Intevation GmbH, www.intevation.net * DN-Systems GmbH, www.dn-systems.de * Tim Brown Time table: 2008-08-15: Contest started 2008-10-15: Contest closes 2007-10-30: Winners nominated How to participate: * express you wish to participate on the OpenVAS mailing list and what you plan to work on * summarize you contribution before contests closes and submit it on the OpenVAS mailing list [1] www.openvas.org -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Trouble Compiling Library version 1.0.2
On Donnerstag, 7. August 2008, Michael Stephen Hughes wrote: I am having trouble compiling the openvas-libraries package on red hat 4.6. The package auto configures succcessfully, but when I run make it dies on compiling network.o in the libopenvas directory. Specifically, network.c:255: error: 'nessus_connection' has no member named 'last_err', this is odd because nessus_connection is defined in the very same file and does contain last_err. Can you $ make distclean and configure again? Are there any problems reported during configuration such as missing gnutls-dev or so? Perhaps you can paste the output here. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] login failed
Hello, On Donnerstag, 21. August 2008, 臧冬松 wrote: I'm a beginer to openvas. I have just install openvas-server(openvasd (OpenVAS) 1.0.1 for Linux ) on a machine with debian. and then I add a user with openvas-adduser,create a cert with openvas-mkcert . Next I installed OpenVAS-Client 1.0.3. on another machine running win xp. But when a connect the server use the username,it tells me Error:login failed. ps:I choose Use SSL Encryption and select the cacert.pem file created on the server. Is anything I did wrong? you probably have been hit by the same problem discussed recently. openvas-add-user might have failed to create the user in the correct directory. Please see in /var/lib/openvas/users whether there is a directory with the name of the user. If you have used a different prefix for compilation, you now have to move the user directory to whereever you have prefixed. This problem is already fixed and will not occur with the next release. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] openvas-nvt-sync only get debian local security checks
On Freitag, 22. August 2008, 臧冬松 wrote: when I run openvas-nvt-sync ,I only get deb_***_*.nasl in /usr/local/lib/openvas/plugins directory.Is that normal ? yes. Currently only the debian Local Security Checks are served by the feed. This might drastically change in the near future, though. You should also install openvas-plugins, of course. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Next Tier for the OpenVAS feed: join with OSSIM/AlienVault
On Freitag, 22. August 2008, Jan-Oliver Wagner wrote: IMHO, there is no reason why OpenVAS NVT feed shouldn't be changed/extended in its contents/mission in order to suffice the needs of the OSSIM users. Basically this would mean to simply add any available .nasl script that is committed to openvas-plugins (all the SecPod scripts arrived in openvas-plugins trunk already today - thanks to Chandra). The mission of the OpenVAS NVT Feed would then be changed to something like Newest NVTs from Developer Team's Repository. There are some smaller issues that would need to be discussed (like clever structuring of families, OIDs and so on). In fact I do not see any major blocker why we shouldn't start this right away. Quite the opposite - (even slightly) diverging feed contents, would cause a lot of headache over time when trying to understand/discuss with other some scanning results. Opinions welcome. if no concerns are expressed, I will do this change as proposed. Of course we'd need to announce this prior to the change on openvas-announce. -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OpenVAS VMware appliance - very basic version
On Sunday 31 August 2008 05:08, Patrick Hornung wrote: osva:~/openvas-client-1.0.4# pkg-config --cflags glib-2.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include Seems awfully reproducible in Debian Etch, but something is certainly not right. Any ideas? is glib.h in one of the above directories? Next, config.log created during configure of OpenVAS-Client might contain some helpful information. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Fwd: Re: OpenVas plugin development (was Up to date statement of Account)
Tim, thanks for clearifying this. Now we only need bank details for international transfer. Best Jan On Montag, 13. Oktober 2008, Tim Brown wrote: -- Forwarded Message -- Subject: Re: OpenVas plugin development (was Up to date statement of Account) Date: Monday 13 October 2008 From: Michael Schultheiss [EMAIL PROTECTED] To: [EMAIL PROTECTED] Tim Brown wrote: On Friday 26 September 2008 19:39:46 Michael Schultheiss wrote: Michael Schultheiss wrote: I apologize for the lack of official communication. I was unable to find my initial request to the legal and financial advisors in my sent mail so I redrafted the request and added a request for an ETA of a response if they must do further research. I'll get back to you as soon as I hear back from the advisors. The CPA said he would look into this and get back to me on Monday, September 29, 2008. Michael, Any update on this? I finally heard back from the CPA. He said there should be no problem for SPI to hold the funds for this competition. -- Michael Schultheiss E-mail: [EMAIL PROTECTED] --- -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Support scripts for local security checks?
Hello, I wonder whether it might make sense for users to have shell scripts like openvas-lsc-prepare-target and openvas-lsc-remove-on-target to that do make the necessary changes on the target system to have it available for local security checks (and undo the changes if needed). Basically it would be about creating a user with low rights and a ssh_authorization on the target system. Basically what is described on http://www.openvas.org/performing_lsc.html Let me know your opinion or alterntive ideas to make the LSC management easier. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Planning OpenVAS Developer Conference #2 (OpenVAS DevCon2)
Hello, I do see the growing need to meet in real life in order to * review the last 2 years of great development * plan future features * discuss designs * discuss how to extend NVT coverage * discuss professional services and how they relate to OpenVAS project * have a beer (or other beverages) with people we see only rarely or see only as an email address. In summary, I'd like to derive a master plan for the next 1-2 years from this meeting. I offer to hold the 2nd OpenVAS Developer Conference in Osnabrück, Germany in the new offices of Intevation. Potential dates are: June 11-14 2009 (Thursday-Sunday) June 18-21 2009 (Thursday-Sunday) July 9-12 2009 (Thursday-Sunday) July 16-19 2009 (Thursday-Sunday) Please let me know what you think! Who would like to participate? And already know the dates are OK for him/her? If we can gather at least a small group, then I will prepare a agenda and start into detailed planning to offer a nice and interesting stay. What I am uncertain: should we consider a Users' session prior to the DevCon with Workshops or alike? Maybe someone wants to hold a workshop. If we take a small fee we might finance travel for some developers. Opinions on this? All the best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Planning OpenVAS Developer Conference #2 (OpenVAS DevCon2)
Hi, I encourage you to send on-list comments :-) Important decisions that should be made during this developer meeting is: * OIDs: final layout, assignment procedure. * how to get rid of the opevas-plugins module (part of design for OpenVAS 3.0) All the best Jan On Donnerstag, 4. Dezember 2008, Jan-Oliver Wagner wrote: I do see the growing need to meet in real life in order to * review the last 2 years of great development * plan future features * discuss designs * discuss how to extend NVT coverage * discuss professional services and how they relate to OpenVAS project * have a beer (or other beverages) with people we see only rarely or see only as an email address. In summary, I'd like to derive a master plan for the next 1-2 years from this meeting. I offer to hold the 2nd OpenVAS Developer Conference in Osnabrück, Germany in the new offices of Intevation. Potential dates are: June 11-14 2009 (Thursday-Sunday) June 18-21 2009 (Thursday-Sunday) July 9-12 2009 (Thursday-Sunday) July 16-19 2009 (Thursday-Sunday) Please let me know what you think! Who would like to participate? And already know the dates are OK for him/her? If we can gather at least a small group, then I will prepare a agenda and start into detailed planning to offer a nice and interesting stay. What I am uncertain: should we consider a Users' session prior to the DevCon with Workshops or alike? Maybe someone wants to hold a workshop. If we take a small fee we might finance travel for some developers. Opinions on this? -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Cannot find libopenvas.2
Hi John, On Tuesday 09 December 2008 18:52:28 John A. Sullivan III wrote: Hello, all, and congratulations to the developers on the release of OpenVAS. I had wondered with great interest what happened to the gnessus project. We have used Nessus off and on for years and are delighted to see the flurry of activity after what seems like three years of incubation. there was a period of silence, though not of inactivity until we started intense phase. There are numerous tasks we have to cope with to offer a helpful product of high quality. We hope we can contribute our experiences, perhaps some documentation and maybe even some finances to further the project. Any sort of contribution is more than welcome. The OpenVAS project has some pretty good working processes established to coordinate and manage the team. If you have special contributions in mind, please let us know. We thought we would dive right in to version 2 and immediately hit some problems. We are installing on fully patched Ubuntu 8.0.4 on amd64. I believe we have run Nessus 2.x successfully before and, in fact, it is still installed. this platform should not be problematic. We took all defaults during installation from source (./configure make) and it appears to have installed into /usr/local/ as expected although I do not see an openvas.conf in /usr/local/etc/openvas/ Although we will ultimately use our own key and cert, we thought we stay plain vanilla for our first test and do the cook book openvas-mkcert. Unfortunately, it returns: /usr/local/sbin/openvasd: error while loading shared libraries: libopenvas.2: cannot open shared object file: No such file or directory Executing openvasd failed. Make sure your library loader is configured properly and that openvasd is in your $PATH. yes, you should employ LD_LIBRARY_PATH or ldconfig for this. So does adduser and even just trying to start openvasd. openvasd is in the path: [EMAIL PROTECTED]:~$ sudo echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/ho me/jsullivan/bin [EMAIL PROTECTED]:~$ sudo which openvasd /usr/local/sbin/openvasd /usr/local/lib is in /etc/ld.so.conf.d/libc.conf. We did manually run sudo ldconfig just in case. We even rebooted. All the same. hm, so you did employ this. Could you additionally test using LD_LIBRARY_PATH? libopenvas.s exists: [EMAIL PROTECTED]:/usr/local/lib$ ls -l /usr/local/lib/libopenvas* lrwxrwxrwx 1 root root 16 2008-12-09 07:26 /usr/local/lib/libopenvas - libopenvas.2.0.0 lrwxrwxrwx 1 root root 16 2008-12-09 07:26 /usr/local/lib/libopenvas.2 - libopenvas.2.0.0 -rwxr-xr-x 1 root root 344799 2008-12-09 07:26 /usr/local/lib/libopenvas.2.0.0 What have we done wrong? Thanks - John not sure. What does ldd on openvasd say? Best Jan ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Today: Joined efford to solve autotools issues before 2.0.0 - please help
Hi all, issues have been reported that the configure environment of OpenVAS does not work properly. Michael and myself were not able to reproduce the problem nor to fully understand it. So, please get into a discussion at IRC today to help solving the issue. See http://www.openvas.org/online-chat.html how to get there. Michael and myself will be there and do anything we can do to assist the analysis/understanding/fix of the issue. Since most people did not report problems with rc1, we will release 2.0.0 in case no one joins into the IRC session to discuss. I think that is the best we can do. Delaying the 2.0.0 further is no good option IMHO. All the best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Planning OpenVAS Developer Conference #2 (OpenVAS DevCon2)
On Sunday 21 December 2008 00:19:12 Tim Brown wrote: On Thursday 04 December 2008 16:04:11 Jan-Oliver Wagner wrote: I offer to hold the 2nd OpenVAS Developer Conference in Osnabrück, Germany in the new offices of Intevation. Potential dates are: June 11-14 2009 (Thursday-Sunday) June 18-21 2009 (Thursday-Sunday) July 9-12 2009 (Thursday-Sunday) July 16-19 2009 (Thursday-Sunday) Please let me know what you think! Who would like to participate? And already know the dates are OK for him/her? DebConf 9 is on July 16-31 in Spain but other the other 3 dates are good right now. this makes July 9-12 2009 (Thursday-Sunday) the date for OpenVAS DevCon #2. I will start into planning details. Another idea I just had is an OpenVAS village at Hacking at Random, August 13-16, 2009? I likely will not be there, but perhaps some other OpenVAS developers? If we can gather at least a small group, then I will prepare a agenda and start into detailed planning to offer a nice and interesting stay. Sounds like fun, I'd like to have a spot on governance put on the agenda. There are a number of things I'd like to brain storm with a view to getting feedback from openvas-discuss post conference. Seems we can gather most major SVN comitters at least :-) What I am uncertain: should we consider a Users' session prior to the DevCon with Workshops or alike? Maybe someone wants to hold a workshop. If we take a small fee we might finance travel for some developers. Opinions on this? Sounds good to me but this isn't a crucial point in my mind. More important is to get some of the various developers together and hack some code. Chandra offered to hold a workshop IIUC. We can announce the offer and simply see what happens. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] (Debian - Lenny) glibc error when configuring openvas libraries
Hello, On Friday 02 January 2009 21:03:24 Man-E-Faces wrote: I downloaded all of the tarballs associated with OpenVas and began with the libraries (per the instructions on the installing/ config page). Upon running ./config for the openvas libraries, I get the following error: checking for GLIB... no configure: error: glib = 2.6.0 not found As you can see from the output below, I have a virtual package installed for 2.7.1 for glibc. configure requests glib, not glibc. glib is part of the GTK+ project, see www.gtk.org for more. Try something like # apt-get install libglib2.0-dev to install the development files. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Start of planning OpenVAS DevCon 2
Hi, I just put a draft page on the OpenVAS DevCon#2 online: http://www.openvas.org/openvas-devcon2.html I guess it might make sense to introduce a special email address such as devcon2 att openvas.org to not require to send reservation whiches, arrival times etc. to the public mailing list. Also it would be great if a team of 2 or 3 people would volunteer to do some organizational work such as maintaining the above web page (also make it nicer than it is currently ;-), maintain the list of participants and coordinating the working out of the agenda. Over here at Intevation we will take care of hotel reservations, evening events and all the stuff where you need to be onsite. All the best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Greenbone Website now online
Hello, last October I announced the launch of Greenbone Networks dedicated to OpenVAS enterprise services: http://lists.wald.intevation.org/pipermail/openvas-announce/2008-October/49.html Now, we have our website online: http://greenbone.net/ We are still busy on improving the website and finalizing our core product, the Greenbone Security Feed. If you have direct comments or questions, you can reach us via: i...@greenbone.net All the best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Draft announcement for OpenVAS DevCon2
Hello, I'd like to announce the DevCon2 to the openvas-announce mailing list. Here is a draft, what do you think? Best Jan OpenVAS Developer Conference #2: July 9-12 2009 in Germany For the second time, the OpenVAS developers will meet in real life to exchange ideas and plans about future OpenVAS developments. While Developer Conference (DevCon) #1 in 2006 brought the initial team together and lead to OpenVAS 2.0 and all of the project infrastructure, DevCon #2 faces the challenge to coordinate the numerous feature plans and other contributions brought in by the strongly growing user and developer community. We expect a final roadmap for OpenVAS 3.0 (to be released in late 2009), interesting exchange of ideas and concepts among professionals and newcomers and, last but not least, a lot of fun meeting team members from all over the globe. The planning coordination will be updated here: http://www.openvas.org/openvas-devcon2.html A User's Workshop is also planned one day prior to the conference (July 8th, 2009). OpenVAS users who are interested in a first-hand training should visit the DevCon#2 web page and express their interest early. DevCon#2 is kindly hosted by Intevation GmbH and will be held in their offices in Osnabrück, Germany. -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Draft announcement for OpenVAS DevCon2
On Montag, 2. Februar 2009, Jan-Oliver Wagner wrote: I'd like to announce the DevCon2 to the openvas-announce mailing list. sorry, of course I meant to a broader public. There already was an announcemnt on our own list. Here is a draft, what do you think? Thanks for the confirming feedback. We'll start to push the news to the usual channels starting next week. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] NVT Rsync and firewall issues
On Thursday 12 February 2009 19:31:52 Thierry Thelliez wrote: But I have a question: Should I empty my plugins directory first? Or does that matter? The rsync command retrieved 13314 files. On the server I now have 13324 files. Are the 10 extra files older definitions that should be removed? it is the *.nes files. Since they are platform-dependent they can not distributed over the feed. They are installed with the openvas-plugins module. One last question, is there other feeds I should consider? http://www.greenbone.net/solutions/gbn_feed.html ;-) But this is basically a supported version of the OpenVAS feed, not something complementary/addon. There is a feed with OSSIM, but I have no idea how much additional content is provided. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Duplicate plugin IDs
On Donnerstag, 5. März 2009, Thomas Reinke wrote: I think there was a misunderstanding. I mean replace the ENTIRE script with the one line exit(0), not just the actual test logic. Remove everything, including the if(description) section, leaving only one line in the file. The server won't read anything (except exit). It thus can't pass anything on to make the user think the script is still active. There won't be any plugin ID conflicts, since there won't be a plugin ID in the deprecated script. You can't overwrite a different script (well, unless you are grabbing stuff from multiple sources and filenames themselves conflict, which is a completely different problem). And it won't require any code tweaks in the server. I rather prefer to refine the sync process. And perhaps the openvas-plugins installation process in order to take identify and handle such situations. Mistakes might happen in the future. And it is not simple retiring, it can be just bugs. Having automized routines to take care of it, would be the best option IMHO. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Idea features tracking
On Montag, 9. März 2009, Christian Eric Edjenguele wrote: one idea to avoid duplicate plugin development or feature for openvas, must be to set a trac base system (http://trac.edgewall.org/), like, but must powerful than the actual tracker. developer could also be able to add features there for proposal. what do you think ? the discussion trac vs. GForge has a long record. Both have their advantages and disadvantages. A migration would consume lots of manpower and I do not see real showstoppers in the coordinaton of the developments. Best is to though in the plans one has into the mailing list or into IRC. The development team is (yet) small enough to coordinate at this informal level. Once the team get bigger, we indeed might need to think about some more formal processes. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Stopping support for openvas-plugins = 1.0.2
Hello, I'd like to stop support for openvas-plugins = 1.0.2 soon. Those versions contained a bug in the nvt sync routine which was fixed on 2008-09-10 and first released with 1.0.3 on 2008-09-17. This bug forced us to have a ugly work-around on the OpenVAS Feed Server and I want to get rid of it. To find out whether the installed version is defect, you can execute this on the command line: $ grep avrP `which openvas-nvt-sync` echo defect found, please update What we need is a announcement on the openvas-announce mailing list. Apart from this, is anyone aware of a operating system that has openvas- plugins = 1.0.2 as a default installation? (this could mean some trouble I guess) Any additional idea about how to handle this situation? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Integrating OpenVAS into OSSIM
Hello Dominique, On Sunday 15 March 2009 17:36:32 Dominique Karg wrote: I'm finishing off the next release of ossim and I think it would add lot to it if we finally replaced nessus with openvas. :-) This release will be lenny (32 and 64bit) based, I'm having a look and notice that packages for lenny aren't readily available on the server part. My question therefore is: are there any official/trusted backports available or will we have to do them ourselves? In fact, we are working on Lenny packages over here at Intevation. However, it takes some time. We try to be in sync with the Debian stuff but Debian still did not manage to have all of OpenVAS integrated and also the recent releases did not arrive yet in unstable. However, I can not promise a date when our packages are available as there are so many tasks aound OpenVAS to do. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] OTP help
On Tuesday 17 March 2009 15:29:34 Shawn Duffy wrote: So, I would think that this means that only two plugins would be enabled (scanner plugins) and that the port range would be limited to 1-1024. As I watch the status messages scroll by it looks like the portscan is limited to 1-1024 but after that it starts running other plugins. I'm seeing it trying to run smb checks, slad checks and other status messages indicating that it is cycling through all available plugins: in principle, issuing a NVT could mean that its dependencies are executed as well. This could mean a chain of a couple of scripts. You can look at the script dependencies to analyse this. There is a client option that can silence the output of dependent plugins. However, they still wil be executed. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] pid file location
On Friday 20 March 2009 16:15:16 John A. Sullivan III wrote: Hello, all. Perhaps I'm brain cramping in my rush but I did not see anywhere within openvasd.conf or anywhere else for that matter where we can set the location of the pid file. For example, we installed to /usr/local and the pid file is thus being created in /usr/local/var/run. Isn't the handling usually done by the start-stop daemon? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] Preparing announcment for NVT#10000
Hi OpenVAS team, I drafted a announcment for the (upcoming) 1th NVT. Any comments, suggestions? Best Jan OpenVAS now beyond 1 Network Vulnerability Tests Passing the 10.000th Network Vulnerability Test (NVT) is a perfect occasion to report about the progress of the OpenVAS project[1]. In October 2008 the systematic development of new NVTs started with a base of around 5800 Tests. With the release of OpenVAS 2.0 in December 2008, the development was boosted and reached now an average of 10 code updates per day. The public OpenVAS NVT Feed Service delivers 3-10 new vulnerability tests every day. The significantly grown and globally distributed developer team will gather on the second OpenVAS developers conference[2] July 9-12 2009 in Germany. During the conference features and roadmap for OpenVAS 3.0 will be scheduled. The OpenVAS project is directly backed up and also supplemented with professional services[3] by a number of companies, namely Greenbone Networks, SecPod, Intevation and SecuritySpace. Reaching the professional enterprise market is a good indicator that OpenVAS gained maturity very fast says Tim Brown, founder of the OpenVAS project. While OpenVAS 3.0 will likely appear already in 2009, users of OpenVAS 1.0 should prepare to migrate as support for 1.0 will end during 2009. [1] www.openvas.org [2] www.openvas.org/openvas-devcon2.html [3] www.openvas.org/professional-services.html -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Any news on OpenVAS debian packages?
On Mittwoch, 15. April 2009, Dominique Karg wrote: just wanted to bump this again since I'd really would love to replace Nessus with OpenVAS in the upcoming OSSIM release. what is the timeline? Lenny, I guess? Any news? Here at Intevation we prepared the OpenVAS-Client 2.0.2 for Etch and Lenny recently. Now we are working on 2.0.3, should be uploadable this week. Here at Greenbone we have Lenny packages for the server but they are heavily customized and not generally useful. Are you planning to take packages as they come or are you just seeking for source packages to rebuild for OSSIM? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] False positive security holes ?
On Mittwoch, 15. April 2009, Marco Schaerfke wrote: if(version_is_less_equal(version:version, test_version:5.1.5.0)){ security_hole(0); } I look with help of the explorer also for that file, but I am unable to find it. Could it be that the code above is wrong ? perhaps version contains wrongly crafted strings that result in true. Some debug_messages should help to find out. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] OpenVAS this week at DORS/CLUC 2009 in Zagreb, Croatia
Hallo, I know it is very late info: I will give some presentations about OpenVAS at the main Linux/Free Software event of Croatia, DORS/CLUC 2009 ( http://www.open.hr/dc2009/ ). I guess all croatian people here are already aware of this event ;-) However, the presentations are in english language, so it addresses a broad audience. All the best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[Openvas-discuss] New web page to collect articles and studies about OpenVAS
Hello, I just created a new web page to collect articles and studies about OpenVAS: http://www.openvas.org/articles-studies.html If you know about any, please drop a note. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss