Security Basics mailing list archives
Re: Security scanning tools
From: H Carvey <keydet89 () yahoo com>
Date: 15 Dec 2003 20:25:34 -0000
In-Reply-To: <BAY9-F13GLm3He0ximp000309e5 () hotmail com>
Im currently testing new scanning tools to replace nessus. I ran ISS system scanner and Micro$oft Baseline Security analyst on a win2000 box and compared the results to the regular nessus scan. Each product reports different things... - Nessus says everything is cool - MS BSA reports that patch ms02-032 has not been applied - System scanner finds a nonexistent modem, no virus software (as if!) but no patches When I logon to the machine and try to run the MS update routine through IE, it reports no patches to be applied. Am I going crazy or using the tools wrong? surely they should all report the same vulnerabilities?
Not necessarily. You can't compare apples to oranges and expect to see the same results, particularly since not all of the tools you've run even advertise themselves to be all inclusive. I'm not *as* familiar w/ Nessus as some others, and from my understanding, it's a purely network-based scanner; ie, it looks for open ports, then queries the various services it finds running for vulnerabilities. For example, if Nessus finds IIS running, it will run a variety of checks against it, but it won't check IIS patch levels on the system itself, or check various settings in the metabase. MBSA checks patches and Service Packs...that's it. ISS is...well...ISS. When I worked at another company, I crafted my own scanning tool due to significant false positives in the product. Rather than getting the decisions that ISS arrived at based on raw data, I collected the raw data itself. It sounds as if you ran ISS either on the local system itself, or via a Domain Admin account. The system may not have actually had a modem in it, but ISS looks for modem drivers, not the actual hardware. For the Registry keys involved, check out mdmchk.pl at: http://patriot.net/~carvdawg/perl.html To answer your question again...no, they won't all report the same issues b/c they all don't operate in the same manner. They are all tools, and you really need to understand what's going on when you click the "Go" button.
My questions to the group are: 1. What tool[s] should I look to buy that that correctly reports security vulnerabilties with the least false positives?
I think before you ask that question, you really need to try and understand what it is you're trying to do, in the context of the business goals you're trying to support. If you decide that you must purchase a commercial tool, you have to ask yourself, do you have a homogenous or heterogenous infrastructure? Do you want one tool that checks all systems, or would separate, specialized tools be more what you're looking for? For example, if you're all Win2K and above, maybe you can do this by comparing the current config to a security template you've developed (or downloaded) via the MMC. Or you can write Perl scripts (I know, I'm biased) that do the checks for you, reaching out across the domain.
2. Are false positives a known [feature] of all scanning tools?
Yep. But again, you ran three different tools that do three different things, and therefore you can't expect the same results from all three. Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Security scanning tools Jack Solomon (Dec 15)
- Re: Security scanning tools Carlton Foster (Dec 15)
- Re: Security scanning tools Devilscrow Sr (Dec 15)
- Re: Security scanning tools Chris Burton (Dec 15)
- SV: Security scanning tools Kim Guldberg (Dec 16)
- <Possible follow-ups>
- Re: Security scanning tools H Carvey (Dec 15)
- RE: Security scanning tools KoRe MeLtDoWn (Dec 15)