I second Nessus. I get all the client software vulnerabilities and since I'm not allowed to exploit them during most of my tests, I share names and snippets and links to the respective exploits to show their "let's patch service vulnerabilities first" mindset should be slightly adjusted. Getting a list of all software running on a system is nice too - and it works on Windows and Linux with the respective credentials. I shopped around for my company and this turned out the most affordable for how small they are. On Jan 19, 2011 9:50 AM, "John Strand" <[email protected]> wrote: > You know I am biased. > > However, I have had nothing but good results from Nessus. > > Also, the reporting in the newest version is miles better then it was. > > For the cost, you cannot beat it. > > There has been a few people I have talked to recently that say that Nessus > does not do DB, network device or application level checks. Some say, it > only does OS checks. I do not quite know where this rumor started, but it > is untrue. It does excellent checks on these devices. > > I am sure Paul or Ron know the specifics. > > *Summon Gula or Asadorian!* > > Finally, check out the credentialed scans. Rather than just checking for > external vulnerabilities, you can also check client side software as well. > > HTH, > > John > > > > On Tue, Jan 18, 2011 at 10:59 AM, Butturini, Russell < > [email protected]> wrote: > >> I'd just double check and make sure you understand the licensing options >> for Nexpose. There are some very affordable ones that don't' require buying >> big hardware and are optimized to run on notebook PCs. >> >> -----Original Message----- >> From: [email protected] [mailto: >> [email protected]] On Behalf Of Zate Berg >> Sent: Tuesday, January 18, 2011 10:29 AM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] Small/Medium Business Scanner >> >> I'd vote for Nessus in your situation too. Possibly combine it with >> something like Seccubus (V2 is due out soon). >> >> Zate >> >> >> >> On Tue, Jan 18, 2011 at 10:00 AM, Dark Harper <[email protected]> >> wrote: >> > Hi all, >> > >> > This ones probably been around and around a dozen times but I'm after >> > some advice/recommendations on a vulnerability scanner for a small to >> > medium sized business. >> > >> > My short list is now down to two - Nessus or NeXpose. >> > >> > Our environment is spread across three sites, around 50 nodes in each. >> > The sites are not permanently linked. One of those sites is PCI DSS >> compliant. >> > I've been using OpenVAS but am not a fan. Access to remote scanners >> > is via SSH tunnels/small links. >> > >> > Cost is definitely a consideration as budget is tight this year. I'm >> > leaning towards Nessus as it is miles cheaper than NeXpose and >> > requires much lower spec hardware from what I can tell. Recent >> > Metasploit plugin is also a plus. Can anyone say why I would put up the >> extra cash for NeXpose? >> > >> > -Dark >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> ****************************************************************************** >> This email contains confidential and proprietary information and is not to >> be used or disclosed to anyone other than the named recipient of this email, >> and is to be used only for the intended purpose of this communication. >> >> ****************************************************************************** >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > John Strand > Office: (605) 550-0742 > Cell: (303) 710-1171
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
