Plug-in architecture for Alerts?
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Plug-in architecture for Alerts? - 19.Aug.2002 7:26:00 PM
|
|
|
zlop
Posts: 1
Joined: 19.Aug.2002
Status: offline
|
I was wondering if there are any plans to have the alerts updated regularly using a plug-in or update type of method ala Nessus? I know that one can easily create their own alerts, but it might be nice to have them automatically created and made available. Or, maybe that functionality is already there and I'm just missing it?
|
|
|
|
|
RE: Plug-in architecture for Alerts? - 20.Aug.2002 9:38:00 AM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
I don't know about automatically created, but in the registered version of 3.0 the update feature will be available, through it you can update alerts, fingerprint files, etc...
eric
|
|
|
|
|
RE: Plug-in architecture for Alerts? - 22.Aug.2002 6:21:00 AM
|
|
|
gulp
Posts: 3
Joined: 21.Aug.2002
From: Germany
Status: offline
|
Are these alert updates confined to Microsoft exposures? In the manual p. 31 (updated alerts) it says "... This will download the latest version of the microsoft database of security issues found in Windows and MS applications.". What about the rest? I understand LNSS is a host- and network-based vulnerability scanner.
cheers
gulp
|
|
|
|
|
RE: Plug-in architecture for Alerts? - 22.Aug.2002 7:20:00 AM
|
|
|
Blade
Posts: 286
Joined: 20.Feb.2001
From: Romania
Status: offline
|
Hi gulp,
You can configure LNSS to download mssecure.xml from microsoft's website but it's also possible to download new alerts using the update feature.
So, mssecure.xml for microsoft patches and
update feature (Help->Check for security updates) for new alerts and stuff (configuration files, ...)
|
|
|
|
|
RE: Plug-in architecture for Alerts? - 22.Aug.2002 9:55:00 AM
|
|
|
gulp
Posts: 3
Joined: 21.Aug.2002
From: Germany
Status: offline
|
Hi Blade,
Thanks for your prompt answer.
Still got some more questions, though. We are not quite sure what software to implement to check our network. So I tried to compare the results of Retina (eEye) and LNSS for some addresses in our network. Result was that some vulnerabilities Retina rated "High" were not even mentioned by LNSS such as "Account: public - SNMP default community name" or "Miscellaneous: Macromedia Flash Vulnerability" or "Registry: Unchecked buffer in the Multiple UNC Provider NT4" and so on.
One can say that in general LNSS rated the vulnerabilities that were found by both programs one grade lower than retina did (e.g. "Registry: LM Hash" High Risk according to Retina; Medium after LNSS).
Do you happen to know where LNSS takes its security updates from? (Securityfocus, Bugtraq ...)
|
|
|
|
|
RE: Plug-in architecture for Alerts? - 22.Aug.2002 10:03:00 AM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
quote:
Are these alert updates confined to Microsoft exposures? In the manual p. 31 (updated alerts) it says "... This will download the latest version of the microsoft database of security issues found in Windows and MS applications.".
Here's what I have for Updated Alerts in the manual, which is a seperate section (hopefully this will be the final edition of the manual):
This feature is only available in the registered version of GFI LANguard Network Security Scanner!
New in LNSS 3.0 is the ability to Update the Alerts over the Internet that LNSS scans for.
To update your Security Alerts, Click on Help > Check for security update > Begin Updates
Note: The security update feature will also update the fingerprint files used to determine what OS is on a device and may update other behind the scene files.
And Blade answered the rest
eric
|
|
|
|
|
RE: Plug-in architecture for Alerts? - 22.Aug.2002 10:12:00 AM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
quote:
Do you happen to know where LNSS takes its security updates from? (Securityfocus, Bugtraq ...)
Most are coming from Security focus I believe. Blade would be the one to talk about that more since 99.9% of the alerts were ones he created.
As for alerts that LNSS doesn't check for, some in my opinion are givens. IE SNMP default community name. If you are scannind with SNMP and haven't changed the defaults LNSS is using then it is scanning look for public. I believe I touched on that in the manual, but I could be wrong. It could be that more alerts like that need to be added to the database.
As for some that are completely missing, such as the macromedia one, or others. For the most part, in my opinion, Blade has been working on making the product bug free. And since most of the alerts have been written by him, not a lot of new ones have been added in the recent past.
On another note, I'm working on a whitepaper for the product currently, if you have any feedback on differences, pro's and con's between Retina and LNSS I'd love to hear them. You can email me at: xnih@cableone.net I'm looking at adding some sort of comparison of the products to the paper.
eric
|
|
|
|
|
RE: Plug-in architecture for Alerts? - 23.Aug.2002 2:50:00 PM
|
|
|
Blade
Posts: 286
Joined: 20.Feb.2001
From: Romania
Status: offline
|
Hi Gulp,
You are right.
For now, LNSS doesn't produce as many alerts as Retina does.
Until now, we have invested a lot of time in building the tools for constructing security alerts. (Alerts module, LANS, ...)
Now, that we have this base we can concentrate more on building a good alerts database.
But, regarding your examples :
"Account: public - SNMP default community name"
This is reported by LNSS, every computer responding to SNMP queries is vulnerable.
For now, the information is displated as SNMP (system)
Maybe I should make an alert for this problem.
"Registry: Unchecked buffer in the Multiple UNC Provider NT4"
This is not reported as an alert, is detected as a missing patch. From my point of view, it doesn't make any sense to detect this problem twice.
"Miscellaneous: Macromedia Flash Vulnerability"
This is not handled but will be in the next build.
Regarding the rating of the vulnerabilities :
It's a matter of opinion.
Source of vulnerabilities ?
the net ![[Smile]](/image/smiles/smile.gif)
SecurityFocus, Bugtraq, Vulnwatch, ...
[ August 23, 2002, 08:51 PM: Message edited by: Blade ]
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
