Jump to content


Photo
- - - - -

Nessus


  • Please log in to reply
5 replies to this topic

#1 Merk

Merk

    Mack Daddy 31337

  • Members
  • 242 posts
  • Location:t3|-| |337 |*|_/-\<3

Posted 07 October 2005 - 03:36 PM

Nessus began in February to have restricted plugin stuff, Teneble is now restricting the liscence, and Nessus 3 will no longer be GPL. They say they will still maintain the GPL Nessus 2, but probably not for long.

Nmap Hackers,

In the last Insecure.Org Security Tools survey, you guys proudly voted
Nessus #1.  It complements the functionality of Nmap by going further
to detect application-level vulnerabilities.  Then in February of this
year, Tenable changed the Nessus license to further restrict the
plugins and require that you fax them a permission request form before
you use Nessus for any consulting engagements.  Renaud wrote to this
list on Feb 8
(http://seclists.org/...n-Mar/0001.html),
explaining that their new slogan ("the open-source vulnerability
scanner") was accurate because the engine was still open source.
Today, their slogan has changed to "the network vulnerability
scanner", and you can probably guess what that means.  In the
announcement below, Renaud announces that Nessus 3 (due in a couple
weeks) will be binary only and forbid redistribution.  They say it
will be free, for now, if you use the delayed plugin feed.  They have
also announced that Nessus 3 will be faster and contain various other
improvements.  They promise to maintain GPL Nessus 2 for a while, but
I wouldn't count on that lasting long.

I am not taking a position on this move, but I do feel it is worth
noting for the many Nessus users on this list.  Tenable argues that
this move is necessary to further improve Nessus and/or make more
money.  Perhaps so, but the Nmap Project has no plans to follow suit.
Nmap has been GPL since its creation more than 8 years ago and I am
happy with that license.

When asked why they are making this change, Renaud replied to the
Nessus list today that open source hasn't really worked for Nessus
because "virtually nobody has ever contributed anything to improve the
scanning _engine_ over the last 6 years."  This may be the most
important and useful point we can take from this change.  Open source
really is a two-way street.  The only way we (open source projects)
can seriously compete with projects staffed by dozens or hundreds of
paid full time developers is by having hundreds or thousands of
volunteers each contributing a little bit part time.  So if you are a
heavy user of open source software, please think about how you can
help out.  Here are some ideas:

o If you are feeling ambitious, write and distribute your own little
program to solve a problem you are having or otherwise makes your
life easier.  It doesn't have to be anything big or fancy at first.
Nmap started out as a little 2,000-line utility published in Phrack
magazine.  Post your creation to Freshmeat, or to nmap-dev if it
relates to Nmap in some way.  Hmm, I think there is a current vacuum
in the open source vulnerability scanner field :).

o Or take a more active coding role for an existing open source
project.  In the Nmap world, former Google SoC students are
developing three promising projects: NmapGUI and UMIT are new GUIs
and results viewers for large Nmap scans, and Ncat is a powerful
reinterpretation of the venerable Netcat.  Working code for all
three of these is available if you join the Nmap-dev list
(http://cgi.insecure....stinfo/nmap-dev) and I'm sure the
respective authors (Ole Morten Grodaas, Adriano Monteiro, and Chris
Gibson) would appreciate help, feedback, and testing.

o Find a bug in some open source software?  Try to reproduce it with
the latest version of the software and do some web searching to see
if it is already known/fixed.  If not, report it with full details
about how to reproduce it and the platform and software version of
the software you are running.  It is even better if you can submit a
patch which fixes the problem.

o Join the relevant mailing lists for the project and help out new
users.  Maybe you can write or translate some documentation, such as a
tutorial for using the product or a HOWTO for using it to solve a
common need.

o The Nmap Project does not accept financial donations, but many other
projects do.  If some little project does exactly what you need and
saves you half a day of work or makes it into your regular-usage
arsenal of tools, consider kicking the author back $5 or $10.  Not
only will it help defray costs of the project, but it shows the author
that users really appreciate his/her work and thus makes a newer
version more likely.  Similarly, if you see an ad on the project
web site that interests you, click on it and spend a couple minutes
checking the product out.

o Spread the word!  Commercial software houses pay to spread the word
about their product in magazines, web sites, TV, conferences, etc.
Open source projects such as Nmap can't.  So if you find a project
useful, don't hesitate to post a link on your web page and  mention it
(including the URL) on mailing list, newsgroup, and web forum posts.

Those are a few ideas, and I'm sure you can think of more based on
your experience, expertise, and available resources.  Rather than mope
over the loss of open source Nessus, we can treat this as a call to
action and a reminder not to take valuable open source software such
as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux
for granted.

Cheers,
Fyodor

PS:  Here is the Nessus announcement:

----- Forwarded message from Renaud Deraison <rderaison@tenablesecurity.com> -----

Date: Wed, 5 Oct 2005 12:16:45 -0400
X-Mailer: Apple Mail (2.734)
From: Renaud Deraison <rderaison@tenablesecurity.com>
To: nessus@list.nessus.org, nessus-announce@list.nessus.org
Cc:
Subject: [Nessus-announce] Nessus Roadmap / Nessus 3.0.0rc1 testers wanted



Hi everyone,


We are a few weeks away from releasing Nessus 3.0.0, and I'd like to
take some time to explain our roadmap in this regard.

Nessus 3 / Nessus 2 Roadmap
----------------------------


Nessus 3 is major enhancement of the key components of the Nessus
engine - the NASL3 intepreter has been rewritten from scratch, the
process management has changed to reduce the overhead of executing a
plugin (instead of creating NxM processes, nessusd now only creates N
processes), the way plugins are stored has been improved to reduce
disk usage, etc...

Nessus 3 also contains a lot of built-in features and checks to debug
crashes and mis-behaving plugins more easily, and to catch
inconsistencies early.


As a result, Nessus 3 is much faster than Nessus 2 and less resource
intensive. Your mileage may vary, but when scanning a local network,
Nessus 3 is on average twice as fast as Nessus 2, with spikes going
as high as 5 times faster when scanning desktop windows systems.


Nessus 3 will be available free of charge, including on the Windows
platform, but will not be released under the GPL.

Nessus 3 will be available for many platforms, but do understand that
we won't be able to support every distribution / operating system
available. I also understand that some free software advocates won't
want to use a binary-only Nessus 3. This is why Nessus 2 will
continue to be maintained and will stay under the GPL.

To make things simple :

- Nessus 2 : GPL, will have regular releases containing bug fixes
- Nessus 3 : free of charge, contains major improvements


The two versions can share most of their plugins -- we intend to
maintain backward compatibility whenever possible for most
vulnerability checks. Some checks will only work on Nessus 3 (ie: we
are about to release a set of plugins to determine policy
compliance), but the huge majority will work on either platform
likewise.


Finally, the Nessus GUI has been split in a separate project
(NessusClient) which is released under the GPL. The 'nessus' client
in Nessus3 is CLI only, as it will be in Nessus 2.4.x. For a GUI, use
NessusClient.


Testers needed
---------------

That being said, we are looking for experienced Nessus users who
would want to try Nessus 3.0.0rc1. For the sake of simplicity, we
would like users running on Red Hat ES3 or ES4 platforms or
compatible. We are looking for people scanning big networks, mostly
to collect performance information. Keep in mind that Nessus3 is CLI
only, so you'll have to use NessusWX or be familiar with the CLI.


If you are interested in testing Nessus 3.0.0rc1, please drop me a
line at <deraison@nessus.org> (no @gmail/@hotmail/@anonymous accounts
please).


Thanks,

                                  -- Renaud







_______________________________________________
Nessus-announce mailing list
Nessus-announce@list.nessus.org
http://mail.nessus.o...nessus-announce

----- End forwarded message -----


_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure....fo/nmap-hackers


It's very sad.

#2 Exvitel

Exvitel

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 345 posts

Posted 07 October 2005 - 08:55 PM

You'll get used to it...

#3 BlackRatchet

BlackRatchet

    Dangerous free thinker

  • Agents of the Revolution
  • 1,837 posts
  • Location:617/508

Posted 08 October 2005 - 12:10 AM

It's very sad.

View Post

Sad? I don't think that's the word for it. More like 'disappointing', disappointing in the fact that they were forced to go this route. Fyodor said it best in that "Open source really is a two-way street.", and a lot of people fail to see that. (Never mind the fact that I think the GPL is overly restrictive with it's source restrictions.)

Of course, if people are really nutty about this, they'll take Nessus2 and really give it a good overhaul. Just because it may be no longer supported by the Nessus people doesn't mean that someone can't take it under their wing and continue development.

#4 Exvitel

Exvitel

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 345 posts

Posted 08 October 2005 - 07:58 AM

Disregard that last post I made, it was suposed to be a post somewhere else...

And yes, I am with BlackRachet, disappointing

#5 Merk

Merk

    Mack Daddy 31337

  • Members
  • 242 posts
  • Location:t3|-| |337 |*|_/-\&lt;3

Posted 15 October 2005 - 04:57 PM

It's very sad.

View Post

Sad? I don't think that's the word for it. More like 'disappointing', disappointing in the fact that they were forced to go this route. Fyodor said it best in that "Open source really is a two-way street.", and a lot of people fail to see that. (Never mind the fact that I think the GPL is overly restrictive with it's source restrictions.)

Of course, if people are really nutty about this, they'll take Nessus2 and really give it a good overhaul. Just because it may be no longer supported by the Nessus people doesn't mean that someone can't take it under their wing and continue development.

View Post


I would like to know what your views are on restrictions of the GPL are. I have not read the entire thing, but a large chunk of it, and I haven't seen many things that I would find very restricting. I am a beginning programmer, and have not produced something under the GPL, so I have not had much experience with the restrictions of it.


Disregard that last post I made, it was suposed to be a post somewhere else...

And yes, I am with BlackRachet, disappointing

View Post


I do think that it fit in with the topic, and there's always the edit feature.

#6 cerealkiller76

cerealkiller76

    Mack Daddy 31337

  • Members
  • 246 posts
  • Location:5-3-0

Posted 15 October 2005 - 09:38 PM

There is a Gnessus fork looking for developers.




BinRev is hosted by the great people at Lunarpages!