[KLUG Members] Nessus differences

Tony Gettig members@kalamazoolinux.org
Wed, 19 Nov 2003 12:09:06 -0500

Previous message: [KLUG Members] grief getting https to work (Invalid method)
Next message: [KLUG Members] Nessus differences
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey there,

I've used Nessus for vulnerability scanning for awhile and it usually works
great. Find the holes, fix'em, and life is good. 

Not so this morning. I'm using Suse 8.2 on two different PC's. Both have Nessus
installed. One was installed from Red Carpet, the other built from source.

The Nessus from Red Carpet is telling me that one of my W2K servers is quite
crackable and indeed, already cracked. Multiple netcat listeners and an NT
rootkit. Somewhat alarmed, I started taking a close look at the box. Now I know
it is the nature of rootkits to hide their existence, but I'm pretty sure
there's not one on there. So I start wondering whether I'm getting a false
positive from Nessus.

I usually build Nessus from source, so that's what I did on another machine.
Download, build and install, and scan the same W2K box. Very different results.
This built-from-source version of Nessus shows me a couple of holes remedied by
hotfixes, but no evidence of a rootkit.

As I type this, a quick check of the Nessus version shows that Red Carpet
installed 1.2.7 from the Suse channel and my source build is 2.0.9. Good grief.
Both scan for a lot of the same attacks. Can they really be *that* different so
as to give me extremely different results like that?

Why would Suse be sending out a version that old? Am I nuts, or can I trust the
results of my source-built-nessus scan? 


-- 
Tony Gettig
Voiceovers, PGP key, and more at
http://gettig.net

Previous message: [KLUG Members] grief getting https to work (Invalid method)
Next message: [KLUG Members] Nessus differences
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]