Educause Security Discussion mailing list archives
Re: Evaluating Rapid7's Nexpose
From: "Ferris, Joe" <jferris () ADMIN FSU EDU>
Date: Thu, 12 Apr 2007 11:53:34 -0400
We have been using NeXpose for over a year and a half after a long evaluation period. Our experiences with Rapid7 have been positive, we can always reach a live person and they are more than willing to work with us on any issue or suggestion. We have been working with their company to improve NeXpose and many of our suggestions have been included in their recent upgrade/release. We have a fairly large deployment of their solution and it continues to grow each week.
From what we have seen, we do not normally have any issues with false
positives on the Windows side or with most versions of *nux. We have seen false positives with some Debian distributions and also Solaris systems. The patch versions seem to report back information that is a little different than what NeXpose is expecting to see. We are currently working with them to correct these false positives. Also, we are using the NeXpose internal ticketing system for administrators to report false positives back to us and that seems to be working pretty well. The older Derby database was not as scalable for us, smaller deployments may be fine, and did show some performance problems in the past. The latest release supports PostgreSQL and should not have the same issues for our deployment. We have had access to an older version of the API documentation and there seems to be a lot that can be done with it, I'll have to call them today and see if I can get an updated version. We have done a lot with tweaking the scan engine (settings and configuration for how you are scanning, ports, vulnerabilities checks, network discovery etc...) but have not had to write many custom scripts. We are planning on working with Rapid7 to include some custom rules for the future though. If you have any other questions please let me know and I'll do what I can to help. Regards, Joe Ferris Network Security Engineer Florida State University 850-645-8051 (Work) 850-694-4064 (Mobile) jferris () admin fsu edu -----Original Message----- From: Michael Bayne [mailto:baynema () JMU EDU] Sent: Wednesday, April 11, 2007 11:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Evaluating Rapid7's Nexpose We're currently evaluating Rapid7's Nexpose vulnerability scanner. They claim to have a large install base in education, so I thought I'd see if any of you were using it and what your experience with it have been. I'm particularly interested in your estimates of false positives/false negatives, how you handle false positives in reporting, scalability, experiences with Rapid7's technical support, how well its database and web services scans work. The marketing guy was pushing the fact that all the vulnerability checks are stored in text files and custom vulnerability checks can be written. The scripting language for the checks seems to be proprietary, however, which makes writing custom checks a tad bit hard without documentation. Has anyone tried to write custom checks? Have you had custom checks written for you by Rapid7? Have you been able to get documentation about scripting from Rapid7? Any other thoughts you might want to share would be appreciated. Thanks. -- Mike Bayne Security Engineer baynema () jmu edu 1.540.568.1684
Current thread:
- Evaluating Rapid7's Nexpose Michael Bayne (Apr 11)
- <Possible follow-ups>
- Re: Evaluating Rapid7's Nexpose Logan, Kimberly (loganks) (Apr 11)
- Re: Evaluating Rapid7's Nexpose Conor McGrath (Apr 11)
- Re: Evaluating Rapid7's Nexpose Stelfox, Samuel G @ VTC (Apr 11)
- Re: Evaluating Rapid7's Nexpose Jason Carr (Apr 11)
- Re: Evaluating Rapid7's Nexpose Ferris, Joe (Apr 12)
- Re: Evaluating Rapid7's Nexpose Steve Brukbacher (Apr 12)