Penetration Testing mailing list archives
Re: Nessus 3.0 released
From: Renaud Deraison <deraison () nessus org>
Date: Tue, 13 Dec 2005 12:26:36 -0500
Hi Erin, On Dec 13, 2005, at 11:43, Erin Carroll wrote:
Renaud, I know you and some others from Tenable lurk on thislist. Any comments or hard numbers you could provide on the performance differences (or other areas of improvement like reporting) would be verywelcome.
We're in the process of setting up a page with charts and everything, but here are the basic facts :
In terms of performance, the "raw" nasl3 performance is roughly 16x faster than nasl2, which puts the language on par with more traditional languages like perl (and faster than python). In some corner cases you can get an even more impressive performance improvement, for instance when using recursive functions.
Of course, since Nessus is a _network_ scanner, the bottleneck in the end is the network itself, so a nasl engine which is N times faster does not imply a scanner which is N times faster. An overall scan of our lab (local network) takes twice as less time as it used to. However some hosts are much faster -- in particular the Windows boxes (the reason is that our SMB API is more complex code-wise that what it used to be, so that's where one can see the biggest boost).
However, once again the final bottleneck is the network and the remote host -- if you scan one 100% firewalled host, you'll probably see little to no improvement over Nessus 2.2.6.
While we're talking about performance, I'd like to point out that over the last months, we've profiled all the plugins and fixed those which were too slow -- improving the engine makes no sense if you have plugins with long timeouts. So even users sticking to Nessus 2.2.x have probably noticed speedups over the last months.
In terms of other changes :- When a scan with done with Windows credentials we now look at the version of the files on disk, not just the presence of a key in the registry. (of course, credential-less plugins are written whenever possible)
- In terms of reporting, we do not intend to duplicate efforts such as OSVDB or the Bugtraq database. We've changed the output format of the new plugins to be more readable and contain more information. The new format is also easier to parse. Example at <http://www.nessus.org/ plugins/index.php?view=single&id=20297>. Using 'nasl -V' you can also parse plugins fairly easily.
- Our risk metric uses CVSS. We are in the process of going back thru every plugin to change the description to the new format and adding CVSS ranking.
- We have also fixed many false positives over the last months. To such an extent that we'll soon announce a "contest" were anyone helping us fix 10 different false positives (and negatives) will obtain a free direct feed, so we can be sure the nail the remaining plugins which sometimes do not behave as expected (I'll repost about that very soon).
- Nessus 3 contains yet-unused features which will probably become handy someday. One of them is the ability to rate the 'confidence' of a vulnerability (ie: a banner check against Apache is probably 50% reliable since all distros backport the fixes, while a credential- less test for upnp is 100%)
Now the thing Nessus 3 does _NOT_ do is vulnerability management. Nessus is a scanning _engine_, not a ticketing system. Unfortunately, some analysts seem to confuse the two and (will probably) bash Nessus 3 for not managing the vulnerabilities it finds. Nessus 3 is to a vulnerability management system what libpcap is to ethereal -- it's a "sensor" which reports data. If you want a full blown vulnerability management solution we have products which do that -- I'll spare you with the advertisements.
Finally, feedback with regards to Nessus 3 is welcome -- just download it at <http://www.nessus.org/download/> and let me know how it fares for you !
Thanks,
-- Renaud
--
Renaud Deraison
http://www.nessus.org
http://www.tenablesecurity.com
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Nessus 3.0 released Erin Carroll (Dec 13)
- Re: Nessus 3.0 released Renaud Deraison (Dec 13)
- Re: Nessus 3.0 released Erin Carroll (Dec 13)
- Re: Nessus 3.0 released Renaud Deraison (Dec 14)
- Re: Nessus 3.0 released Erin Carroll (Dec 13)
- Re: Nessus 3.0 released Brian Smith-Sweeney (Dec 13)
- Re: Nessus 3.0 released - nikto, hydra, amap RaMatkal (Dec 14)
- Re: Nessus 3.0 released - nikto, hydra, amap Renaud Deraison (Dec 14)
- Re: Nessus 3.0 released - nikto, hydra, amap Brian Smith-Sweeney (Dec 14)
- Re: Nessus 3.0 released - nikto, hydra, amap RaMatkal (Dec 18)
- Nessus and Hydra Fabien Degouet (Dec 31)
- Re: Nessus 3.0 released - nikto, hydra, amap RaMatkal (Dec 14)
- Re: Nessus 3.0 released Renaud Deraison (Dec 13)
- <Possible follow-ups>
- RE: Nessus 3.0 released Josh Perrymon (Dec 13)
- RE: Nessus 3.0 released Josh Perrymon (Dec 14)