Re: bleeding nessus [was: Re: Funny note here on a worm]

[Ron Gula <rgula () tenablesecurity com>]

At 05:28 PM 5/1/2005, Gadi Evron wrote:
> > So someone who submits one, maybe two Nessus plugins which took 5-10
> > minutes to write is entitled to what? Lifetime updates? If folks submit
> > plugins to us, they go right into the GPL feed. If folks submit plugins
> > to us on MS Tuesday for new vulns, we don't accept them. It doesn't
> > mean they can't publish them someplace else though, or use them on
> > their own. I also really don't like the argument that somehow open
> > source security projects are responsible for providing free securing
> > solutions for non-profit organizations.
>
> Oh come on.

;)

> Tenable is known for saying:
> "There is no need for a community, we already have a nessus community!"
>
> Hey, let's start a community... get people writing plugins and get
> things going, but no...
>
> "There is no need for a community, we already have a nessus community!"
>
> But then...
>
> "
> If folks submit plugins
> > to us on MS Tuesday for new vulns, we don't accept them. It doesn't
> > mean they can't publish them someplace else though, or use them on
> > their own.
> "
>
> What other place?!

Any place you want. There is a bunch of Nessus stuff unrelated to
Tenable and not hosted on Nessus.org. We're not pretending to or
claiming to do everything. For example, we're still maintaining
NessusWX, even though we have many more people using our NeWT
vulnerability scanner for Windows.

> Tenable is the most confusing company out there;
> 1. They do great work, and should be appreciated.
> 2. They want to earn money rather than give everything away for others
> to earn money with, which is good.
> 3. They keep saying there is a community and they run it.
> 4. They keep resisting anything not-tenable, and admit to denying
> whatever might be against their own money-making agenda (which is also
> cool).
> 5. They claim to run an open community for nessus. That is very cool.

Are those your quotes? I can quote you now that you think we're
cool I think.

> Just tell me how it all works together? Not so cool.

As of today:

---
There are 7738 plugins in the direct feed (2252 in the non-registered GPL 
feed and 7709 in the registered feed), covering 2893 unique CVE ids and 
3633 unique Bugtraq IDs.
---

For those 7709 "registered" checks, you can use them for free, you
just can't put them into a product and re-sell it as your own. If you
really, really need those other 38 checks, you can wait seven days
or pay Tenable money. The GPL feed has no restrictions on it, other
than to comply with the GPL.

> I much prefer SF's way of doing things with snort. There is a snort
> community with GPL rules, with nessus there is just some sort of
> dictatorship and very limited number of people writing plugins.

That's great, but the snort community ruleset has not had a release
since 4/5 while the SF VRT was updated 4/20. Also, the current
registered VRT has ~3395 signatures in it.  The community rules have
slightly more than 100. At bleeding snort, which has been up and
running for some time now with lots of commercial sponsors, they
have 900 rules, 100 of which detect malware.

My point here is that regardless of the merit's of Sourcefire's
strategy to work with community writers, or the comment that you
think we're a dictatorship, the "community" has yet to really
contribute. This includes the 100s of commercial companies which
make use of Nessus and Snort.

I would highly encourage you to write a NASL script and submit it
to us. You'll see that we maintain your copyright, and will also
maintain your code if we find issues or false positives with it
over time. Tenable's only policy (besides not accepting just poorly
written NASL scripts, stuff that has high false positive rates,
.etc) is that we won't take NASL scripts for recently disclosed
vulnerabilities. Looking through the last 30 NASLs added, there
were at least two non-Tenable folks contributing to the GPL feeds.

> That is all once again cool, but don't sell ice to Eskimos, m'kay?

I guess I'm not sure what you would like to see Tenable do. Please
feel free to discuss it with me on/off list.

> If your point is being commercial - I have nothing against it, good
> luck! But don't give us this kind of two-faced statements about
> supporting open source and building an open community based on
> contribution and mutual assistance.

Unfortunately, that is an untruth from the get-go. If I was going to
stand up and say Nessus had significantly more than 1000 contributors,
I'd be a liar. There are more than 100,000 organizations which make use
of Nessus. It's an open-source community of users, not contributors.
Our goal was to increase the size of that community, and we've done
that to a great extent over the past few years. Adding Nessus 'local'
checks for UNIX as well as releasing a Windows version (NeWT) added
a lot of users. Most of those "local" checks were user contributions as
well.

> I think it's time a tenable free nessus community got assembled. It is
> becoming apparent that it will never work with them.

I'm not sure what won't work. We've only made it difficult for the
vendors who base their products and offerings on Nessus. For the vast
majority of the users, they are hardly effected.

I'd be very interested (on or off list) to hear specifically how our
changes have effected you.

There have been several non-Tenable initiatives already. There will
likely be more. I've seen some really good work, but not anything that
trumps using our 7-day old checks for free. A lot of them use the
awesome power of regex to remove any copyright and replace it with
something else.

Ron Gula, CTO
Tenable Network Security






_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave