RE: [MLUG] Security Scanners/Network Security/Nessus/Etc.

["Brent Deterding" <EMAIL:PROTECTED>]

1. Nessus actually calls nmap - so just use nessus and you're doing an
nmap scan. Don't use the rpms - compile it and you'll have more
granularity over nmap options (which you need to tweak to your network).
2. Not nessus :) I don't honestly know.
3. Dunno - I suppose it could be. You want the players (clients) or the
servers? If you want the clients look at the firewall/router logs and go
from there - clients won't respond because they aren't listening on a
port.
4. hehe watch the printers :) I've run into this quite a bit actually
and there isn't a really good way to prevent it in my experience. 
5. I think there's a nessus-users list. Other than that I just kind
relied on whatever made sense :(
6. Many SMB "vulnerabilities" are more informational than anything.

My best advice with Nessus is to evaluate the results as YOU see it -
NOT how it does. 

I tend to go by SANS here - risk = (Criticality + Lethality) - (Net
Countermeasures + Host Countermeasures) where each is assigned a value
of 1-5 (5 beiug high). 

Following this has helped me put things in perspective. If I have a 2000
Server with IIS 4 unpatched on a private network (ie - single hub
connected to nothing else) and scan it Nessus will very happily yell and
scream about it - but is there risk? Only from me, and I trust me. If I
have a vulnerable server on a private network behind a Linksys
cable/router that allows everything out and nothing in am I at risk?
Probably not - the risk is from yourself more than anything - what you
install, where you visit, etc. I go by an old saying as well "Don't
built a $1000 fence to contain a $100 horse."

All of this gets wrapped up in the concept of "Defense in Depth."
Defense-in-Depth is one of the overriding principles of information
security, allowing layered security to capitalize on the respective
strengths of each component while being flexible enough to choose
components based on technical, budgetary, and political constraints. 

I know I kind of babbled on here . . . sorry about that - I get kind of
passionate about security (look at my email address)

-- Brent
EMAIL:PROTECTED

-----Original Message-----
From: Jason McIntosh [mailto:EMAIL:PROTECTED]
Sent: Thursday, March 06, 2003 1:09 PM
To: EMAIL:PROTECTED
Subject: [MLUG] Security Scanners/Network Security/Nessus/Etc.


General question which may have been asked before, but updated responses
are of course welcome :)

We're doing network scans (or attempting to) using various tools. 
Primarily right now, we're using Nessus & Nmap.  However, Nessus doesn't
seem to identify things all that well.  Further, it'd be nice to have a
scanner which could identify things like the "WeatherBug" spyware or
other oddities.  

An example of this - there was a radio station that had an open port. 
Nessus identified it incorrectly as a webserver (b/c it kinda responded
that way) but it was really the software opening the port, and then on
request spitting binary data of some sort back (guessing music or
something like that).

The questions I have for the list are as follows:
1)  What security scanning software does everyone use/recommend?  Is
Nessus & Nmap the standard?
2)  What applications can be used to identify spyware?
3)  The idea is we're wanting to shutdown many of the net radio players
such as spinner due to a concern that they might be security holes. 
Does anyone know whether this is the case or have other comments on
this?
4)  The last time I did a general network scan with Nessus, a LOT of our
JetDirect or HP networked printers started printing garbage, and then
had to be reset.  Has anyone else seen this with Nessus?  Is there a way
to fix either the printers or Nessus so this wouldn't happen and we can
do regular scans again?
5)  What mailing lists are available (low traffic, preferrably) for
discussions of such issues?  Is there one on the MU campus?  If so, how
does one get subscribed, the listname, etc.?
6)  Nessus identifies a lot of things, but at the same time, doesn't
really test them out to find whether the "identified" things are
actually vulnerable.  An example is a lot of the SMB errors reported. 
Is there a decent tool for testing these reported vulnerabilities out?

Any advice, comments, etc. are welcome.  I do pretty well with TCP/IP
work, as well as being able to hit and fix a lot of the common stuff
identified using Nessus, but as said - there have been some problems
with Nessus and I'm always curious to see what else is out there, known,
etc.
Thanks!
Jason McIntosh
-- 
/--------------------------------------|---------------------------\
| Jason McIntosh                       | CELL: 573-424-7612        |
| Webmaster, thinker, Programmer, etc. | WORK: 573-884-3865        |
| http://poetshome.com/                |                           |
|------------------------------------------------------------------|
|"How should I know if it works?  That's what beta testers are     |
|for.  I only coded it."                                           |
|(Attributed to Linus Torvalds, somewhere in a posting)            |
\--------------------------------------|---------------------------/


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBD5AMRERBACcxAJ7hiB6udEDefnAksb49o6BDVC2bxdUTwkxP9jS0BmLqbQL
egYYt09WjEJtn4eRuVdkku7A0fi/G8NIsXnE9oMKnWkqg2tjQ8q65D64Cass5zEU
WG6j8qABpxpZNP9HGSTqm0yeYTR9f0dGaS6jZbxgme6hU0XDOGH3ug6/qwCg0j1h
gYkkNl3jbPuwtpCrTIxSUYsD/0J18alKrswomFJfoRgjA7S9AezlV7YJoU3dCLSV
6D19SAVwmseTRltJm0S8e8Yf6Bq9l+1OdsJCHtT+HYBVuB0PmL8PDhJg6vAzIZlt
5c3hkfJrSSCssRSMBIr+8Hl2HBU4tKB79L2cI3Nrij+5DJTVzIa5QpvsFDAIO2Cp
Ma/hA/9vOPY2PyoAWKb3JAQV8T2h7/rjzePxOv0WYI2/6THdgh2lLUP+GJ4FdH76
I/8d+qtiAzul/Zq2LkFvpejnu41dDZn+yhgsVTkz/xTRKWQX9sOud0QjvyN0nHD9
KqisFRgs1ByINQcWNK8KpwgLcBRLVS4EALDn5R6yL6AT6poT7bQ8SmFzb24gTWNJ
bnRvc2ggKFByb2dyYW1tZXIvQW5hbHlzdCkgPE1jSW50b3NoSkBtaXNzb3VyaS5l
ZHU+iF8EExECAB8FAj5AMREFCQHhM4AECwcDAgMVAgMDFgIBAh4BAheAAAoJEGZP
+3FaGjd1P9IAoJQL5kaHEjG1TNVSt20bAXDx/DzmAJ4pVTDnpWUPNCxk+/kMBlGe
bO97ObkCDQQ+QDEfEAgAjl6vRTDWrMTUfXyngnWAgU/3wRZmjcKONhCGcpqFOFR/
2CiMeeJOnNXgSzrPxIfUJphlh00vBm1K/ngllg3MGFI9hOffuLuHXiw8e/Yc87uz
YdtglWHeUz/9YQCe4ndKohtk7nZHUoxQd5OspJxYJH5J5cysSuH2V839NtNPJKBZ
ai0VhyTFZKD3v9xTC8ZyMEO022bpkhWz1cs/9l5z4g2eg7mOwe+hJstMQFHk77Zr
GbkPwi+gWwM/b2pxigz1xhQpHpR5HrO/4yM8zWYZHUbUGwxiuTJqKktFEVUKUFDD
xopIpOAMOy0qVs+wXS5buJSduSgDxPmKq0xZFsJiZwADBwgAi66pXMCTolMQzn50
MAs9KRK6+3XphI+InmzfN+/OVknwzkAkGhRfisYI0DyN/26wSkn+zyoE87NBuUQt
xtcNOpwwxS2WCqBx3PhtpVJ6yvaeFmSe3QC2lUf8418B2C6GR/e6IOPNhVW1cnhP
IR0/yY8c8zQrJxEZNhBtj2SrkLY6Ps7j97lI8n+u21YC2/a5P3TPCa3x0w0m0APB
zJrhXuNGwPcNtxqKZDz7m9KuROSijx0Xm1buQkGfDZqkqA1D8ljN2vdA+jx/v1eq
H27iXk2iZ+i8bOyoiflniKh6nrd2UlVPvzmLscpiUf0rEGQuBV0Sq5AUUqO7MQM+
L8jCYYhMBBgRAgAMBQI+QDEfBQkB4TOAAAoJEGZP+3FaGjd1yhMAnjAwU37EIok3
WZu1BXhaD9y1ryjBAKC7fnv7AdrVrxdXkmdgdA5jxUFXOg==
=ueqZ
-----END PGP PUBLIC KEY BLOCK-----


_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members