Re: Evaluating Rapid7's Nexpose

[Steve Brukbacher <sab2 () UWM EDU>]

UW Milwaukee is also using this. We've been researching some potential
false positives on an Ubuntu box but in our experience we haven't see an
unreasonable number of false positives. In this case it looks like an
issue of the numbers used to identify patch levels that are creating
some false positives.  We are basing a scanning service on the product
but it's only a part of our overall strategy.

On the upside I love the reporting features and the fact that they
reference you to fixes for some problems.

I'd say the biggest problem is that sometimes it can't find the device
even though the address is on our net and publicly routable.   This then
returns a null set report.  We haven't been able to identify how to
allow for this on the assets themselves.  It does have a capability to
cache admin credentials which I've had some difficulty getting to work.

In general though scanning is only part of the picture in ensuring our
systems are meeting security requirements.  In that context I think it's
a good product.

--
Steve Brukbacher, CISSP
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



Stelfox, Samuel G @ VTC wrote:
>         Vermont Technical College uses NeXpose as well and we have had
> mediocre experiences with it. It seems to miss some very serious
> security holes, does not list all the services that are running (or even
> make mention that the ports are open), and has a large number of false
> positives. It claims to have "verified" most of these false positives.
>         On the other hand it did provide reasonable solutions most of
> the time that it detected a problem. I still highly recommend checking
> the solution with other people online as some of the solutions were
> excessive for a problem that it says may theoretically cause a problem
> as long as it was used with an additional exploit. For example the ICMP
> timestamp response.
>
>                                 - Sam Stelfox
> -----Original Message-----
> From: Michael Bayne [mailto:baynema () JMU EDU]
> Sent: Wednesday, April 11, 2007 11:28 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Evaluating Rapid7's Nexpose
>
> We're currently evaluating Rapid7's Nexpose vulnerability scanner.  They
> claim to have a large install base in education, so I thought I'd see if
> any of you were using it and what your experience with it have been.
>
> I'm particularly interested in your estimates of false positives/false
> negatives, how you handle false positives in reporting, scalability,
> experiences with Rapid7's technical support, how well its database and
> web services scans work.
>
> The marketing guy was pushing the fact that all the vulnerability checks
> are stored in text files and custom vulnerability checks can be written.
>
>   The scripting language for the checks seems to be proprietary,
> however, which makes writing custom checks a tad bit hard without
> documentation.  Has anyone tried to write custom checks?  Have you had
> custom checks written for you by Rapid7?  Have you been able to get
> documentation about scripting from Rapid7?
>
> Any other thoughts you might want to share would be appreciated.
>
> Thanks.