On 08/22/07 11:00, [EMAIL PROTECTED] wrote: Hi John,
> is the creation of a plugin based on how widely the software is > deployed? At Tenable, some of the considerations that go into deciding whether to write a Nessus plugin include: - Is it for a vulnerability that's already been announced? We don't do 0-days. - If it's for a vulnerability, is that vulnerability valid? The number of bogus claims that make it onto the various mailing lists or even vulnerability databases is amazing! - If it's for a vulnerability, how critical is that vulnerability? We're much more likely to do a plugin for one that provides for unauthenticated remote code execution with root / SYSTEM privileges than another that simply causes an installation path to be displayed in an error message. We also tend to skip checks for XSS issues unless they're persistent or in major applications. - How popular is the affected hardware / software with respect to the Nessus user base? This is definitely a big factor in deciding whether to write a plugin for the vast majority of web-related issues but less so for critical vulnerabilities. - Has a fix or work-around been announced for the vulnerability? This is more of concern with products from major vendors such as Microsoft / Cisco. - How quickly, efficiently, and reliably will the plugin run? We tend to avoid checks that need to send large amounts of traffic or take a long time to complete. - How would a plugin impact the target? We sometimes pass on checks for vulnerabilities that require crashing an important service because we feel few people are likely to run the check. - Will the plugin require credentials? While scans can be configured with some credentials, we try to avoid plugins that would require yet another set to function. - Can we exploit the vulnerability in a plugin or do we need to do a banner check? Banner checks of open-source products are prone to false-positives so we tend to avoid them, except for widely-deployed software like Apache and sendmail. Also, we generate a number of plugins for local checks automatically from published vendor advisories. As new advisories are released, new plugins will be released shortly afterwards. Finally, realize that anyone can write plugins, even pen-testers who might discover that we missed something and want to contribute back to the community. :-) George -- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
