On Sep 20, 2006, at 12:53 PM, Michel Arboi wrote:
On Wed Sep 20 2006 at 18:33, Douglas Nordwall wrote:
> Well, for me, the sheer configurability of it is the best part.
Speed
> isn't always what you are after, and just this morning, speed was
the
> enemy. We had a box that had countermeasures on it, and we had to
> move slow to not trigger them. I didn't see an option for this on
the
> built in scanner.
safe_checks && max_checks=1 gives the lowest speed.
(! safe_checks) && max_checks>=5 gives the highest speed.
While i know this to be true (although I was not aware that
safe_checks slowed things down, I may have missed mention of it, but
I don't remember seeing it), it does not offer the level of
configurability I was looking for in this particular situation. I
needed very slow scans (on the order of no more than 5 ports in 5
minutes) to bypass the countermeasures.
> I also like the ability to control port scan randomization
We may introduce some trick against *basic* portscan detection, but
probably not randomization, because it might lead to erratic
problems.
Maybe ask Fyodor what they did to compensate for the problems you are
concerned about? seems to work for nmap, unless the problems you
foresee deal with some aspect that nmap doesn't cover.
> and very fine grained control of the timing.
Fine grained control is the enemy of adaptability. Maybe I did not
find a single box with anti-portscan countermeasures, but I scanned
many boxes on unreliable links or loaded networks. In such cases, the
scanner has to slow down when it starts losing packets, and speed up
later. nessus_tcp_scanner does this rather well; in fact much better
than any other port scanner I tried.
fair enough, and for your network that is fine. For my network, which
I know fairly well, and have access to exactly what's happening on
it, I can make those determinations in other ways.
As I said, this was a particular circumstance that doesn't come up
everyday, but I did need more control than out of the box nessus
provided for.
> Part of it, I imagine is because we really like nmap and there is a
> mental "this is the best port scanner
This sounds more like marketing than technique to me.
No, It's not marketing. I don't think nmap needs any marketing from
me, a nobody in the computer security world. I'm merely expressing
the mindset that may be there for some folks. You might read it as
"we've always done it this way and we don't like to change" or "we
haven't seen an appreciable difference to change" or any number of
things. I assure you though, anyone on this list probably already
knows what nmap is, and it doesn't need to be marketed.
Anyway, I do not see where the problem is.
nmap.nasl has always been available, and the import function works
fine and does not need to be updated everytime a new option pops
up. Running Nmap from inside Nessus is definitely a bad idea, for
reasons that are written on the web site.
and I never said that it wasn't at least good to have there. Indeed,
I'm glad the discussion came up, as it's important for people to know
it's there, just to avoid headaches. You asked why people prefer to
use nmap instead of the built in. I was trying to give you some
feedback about how we operate that might be useful for Tenable.
--
http://arboi.da.ru/ http://ma75.blogspot.com/
PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91
Fingerprint: 1048 B09B EEAF 20AA F645 2E1A 1320 924F 0BBA BA91
Doug Nordwall
Unix Administrator
EMSL Computer and Network Support
Unclassified Computer Security
Phone: (509)372-6776; Fax: (509)376-0420
The best book on programming for the layman is "Alice in Wonderland";
but that's because it's the best book on anything for the layman.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
