[KLUG Members] Nessus differences

[Bill Katsma]

Tony,

Are your plugins up to date?

Do a "nessus-update-plugins" on both boxes.

Later <>< 



On Wed, 2003-11-19 at 12:09, Tony Gettig wrote:
> Hey there,
> 
> I've used Nessus for vulnerability scanning for awhile and it usually works
> great. Find the holes, fix'em, and life is good. 
> 
> Not so this morning. I'm using Suse 8.2 on two different PC's. Both have Nessus
> installed. One was installed from Red Carpet, the other built from source.
> 
> The Nessus from Red Carpet is telling me that one of my W2K servers is quite
> crackable and indeed, already cracked. Multiple netcat listeners and an NT
> rootkit. Somewhat alarmed, I started taking a close look at the box. Now I know
> it is the nature of rootkits to hide their existence, but I'm pretty sure
> there's not one on there. So I start wondering whether I'm getting a false
> positive from Nessus.
> 
> I usually build Nessus from source, so that's what I did on another machine.
> Download, build and install, and scan the same W2K box. Very different results.
> This built-from-source version of Nessus shows me a couple of holes remedied by
> hotfixes, but no evidence of a rootkit.
> 
> As I type this, a quick check of the Nessus version shows that Red Carpet
> installed 1.2.7 from the Suse channel and my source build is 2.0.9. Good grief.
> Both scan for a lot of the same attacks. Can they really be *that* different so
> as to give me extremely different results like that?
> 
> Why would Suse be sending out a version that old? Am I nuts, or can I trust the
> results of my source-built-nessus scan? 
>