Slashdot Mirror
Nessus 3.0 Released
duplo1 writes Tenable Security has announced the release of Nessus 3.0. Nessus is an enterprise level vulnerability scanner and this new version brings a complete rewrite of the Nessus engine redesigned for increased speed and efficiency running on the average, twice as fast as Nessus 2. From the release: "In addition to gaining dramatic improvements in performance, Tenable also provides an optional Direct Feed subscription service for Nessus 3.0 which provides immediate access to new vulnerability checks and entitles Nessus 3.0 users to commercial support from Tenable. The Tenable Plugins include support for a rating methodology called Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."
You know, not GPL anymore. Did that escape you while writing the ad?
Worth mentioning (though it has already been covered here on /.) is that this is the first closed-source version.
English is easier said than done.
I thought he was Hindmost's lover :o
http://www.networkmirror.com/EA6knu7cjqyrJMp6/home .businesswire.com/portal/site/google/index.jsp%3Fn dmViewId%3Dnews_view%26newsId%3D20051212005715%26n ewsLang%3Den.html
I'm not fat, just big boned...
Gan Family Homepage
Ahhh what a pleasure to feel safe and good, knowing that my network is regularly audited by this now non-opensource Nessus security scanner. This product is developed by a respectable company, that really know computers, networks, and stuff like that. They have a fantastic website very well administered, and very safe. You know for sure that for example, given their competence and immense wisdom, such a website will NEVER succumb under intense intrusion attacks, denial of service attacks, and this kind of crazy things. Look just go to www.nessus.org.
Without trying to sound like spam, we're currently using a vulnerability checking system called "nCircle IP360" (yeah, knock off the Xbox jokes). This thing needs constant updates and upgrades in order to keep track of the numerous vulnerabilities out in the wild. The thing even detects a Commodore 64 with ethernet cartridge as a recognized operating system! It too, gives each server it tests a vulnerability score.
Thing is, when you're talking about constantly updated files for vulnerabilities, we're delving into the realm of virus-scanners and ad-ware scanners. There's gold in those downloadable updates people. Makes sense to me why Nessus is no longer open sourcing their new stuff.
READY.
PRINT ""+-0
Anything labelled 'enterprise'.
TOTALLY SYNERGISTIC, DOOD! CUSTOMER DRIVEN EXIT PLAN MANUFACTURERED END USER APPLICATION LOGIC POWER AT THE END OF TEH DAY!!!!!!!!111111111111111
Peel the onion! Shift the paradigm! Web 2.0! Low-risk, high-yield objective mindshare total quality driven living document!
Does being an "Enterprise level vulnerability scanner" mean that it can be used to figure out how to remotely shut down the Klingon cloaking device or make a Borg cube self-destruct ?-)
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
I'm thinking Core Impact etc...how does Nessus 3.0 rate against them ?
I dunno if you've seen the licencing for Core Impact lately but it's VERY expensive....
cheers!
Not everyone will avoid anything that isn't free/libre, especially if the quality is good. The free software community brought it upon themselves by not helping out and in the case of the rebranders, for stealing all sources of revenue nessus had when GPL. 100 hour weeks hacking on code don't come for free, you know. We'd all prefer it to be free, but it's not essential
~HTP~ Hug that tux
I mean, seriously, it's been GPL all these years, the developers were putting in the hours and the hard work (And don't give me that c*ap about community contributions, because in relative terms, there wasn't really any).
And they were suffering because people were essentially taking their work and simply rebranding it and selling it as their own. Isn't it only fair that Tenable themselves should now have the opportunity to sell what is, after all predominantly their work?
I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is for doing what any reasonable person would have done. It's a wonder that Tenable put up with all the other companies selling their work for as long as they did.
Also, guys, lay off the whole "haha, we slash-dotted your server" cracks..I mean, what can possible stand before the might of
cya,
Victor
Traditionally people have trusted closed source antiviruses and firewalls...
~HTP~ Hug that tux
...all my enterprise level vulnerabilities.
- There's no place like 127.0.0.1
Another fine example of typical hippies/commies slashdoter mentality.
Where do you people get off with this entitlement? the application was free for a long time!!! Did any of you tards bother to help them out? the version 2 is still out there. free! you don't like Tenable changing the liscense. Go freaking fork the version 2 and do something usefull other than bitching on someone's else hard work!!!
what a bunch whiners.
You know, not GPL anymore. Did that escape you while writing the ad?
From TFA:
Nessus 3.0 was developed in response to growing market demand from enterprises, government agencies and consultants for a commercially licensed version of Nessus. Nessus 3.0 users will now have access to a number of commercial support and training options from Tenable Network Security. Tenable Network Security will continue to manage, distribute and maintain the open source version, Nessus 2.x. (emphasis mine)
Did that escape you while you were writing your kneejerk response? Of course it did: you couldn't be bothered to read the FIRST PARAGRAPH of the article.
I want to drag this out as long as possible. Bring me my protractor.
And how often do you audit all the code in the software anyway? You can't rely on the community to do that for you, very few in the community know the code well enough to know what everything does anyway. In the case of nessus where next to no code was contributed, how are you supposed to know it's safe just because it's free/libre?
~HTP~ Hug that tux
Just to make it perfectly clear. YOU were supposed to give patches back. YOU were supposed to help improve it. Instead YOU f***ed them over by re-branding it. That is the wonderful GPL for you. And all of you that feel "entitled" to the GPL version -- fork off. Most of you make me sick because you can't even see that YOU were the problem and YOU were the cause of the license change. The only thing you care about is the "communist" GPL.
Typical marketing nonsense. At the time of writing not a single article is claiming entitlement or anything like it. All they're saying is they think the license change for them is a step backwards.
A license is part of the featureset of a program. Some people think the license is an important feature. Deal with it.
---
Paid marketers are the worst zealots.
Just curious... I mean, Nessus is a pretty despicable centaur, tried to rape Hercules' wife and then, after being fatally wounded, tricks her into poisoning herself with his blood.
http://en.wikipedia.org/wiki/Nessus_(mythology)
Perhaps it is named for the Pierson's Puppeteer?
"Waste not one watt!" - CZ
I mean poisoning herc, not herself.
"Waste not one watt!" - CZ
(Sorry for the following soapbox, but I'm really tired of the profession using terms interchangably)
"Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."
1.) Outside of a box infected by a Worm, how can it find a threat?
Does it actually track down the human or natural threats?
2.) How does it find "vulnerabilities"? Does it understand the capabilities of the threat source? Make an intuitive judgement on how skilled the attacker is? How does it measure the strengths of surrounding controls that mitigate the vulnerability?
3.) How does it measure criticality? It instincitively knows that the IIS vuln. on the intranet blog is less critical than the same IIS vuln. on an e-commerce app?
Perhaps what they mean is that the scanner finds weaknesses, and that the CVSS really makes an educated guess as to the *level of effort* it would require to exploit that weakness by what is in their mind the average attacker.
Oh, well, at least they aren't claiming to find "risk".
"oohhh... I didn't know Schopenhauer was a philosopher!"
Ok they changed the license
But how can they do this on behalve of all peoples that did contribute to the project? If coder X did submit his code 2 years ago can they decide to change the license of the work that was submitted by coder X?
In cyberspace nobody knows you're a cat!
If you don't trust closed source security products, if you would prefer to have the support of a worldwide community rather than a small handful of developers, use OpenVAS.
Were it not for Nessus' roots in open source it (and Tenable) would have been unlikely to have seen the light of day, and the void they filled would have been instead occupied by some other open source project that accomplished the same goals. Instead our security is being adversely affected by greed when others (eg MySQL, RedHat) have proven that there are profits to be had by providing associated services. It is indeed unfortunate that Slashdot is giving them undeserved publicity.
Yes, they provided a lot to the community but they have also reaped the benefits of the associated exposure and are now attempting (hopefully unsuccessfully) to turn that into cash.
It ___CLEARLY___ states that it has been released for Linux/BSD at this time. I'd imagine Solaris, AIX, Windows, and other platforms will follow, but for the time being, they set a release date for Linux/BSD- a large market. Give it time. Let them test Linux/BSD releases and then go from there.
-M
when you see the word 'Linux', drink!
The following platforms will be supported in early 2006 :
* Mac OS X 10.3 and 10.4
* Microsoft Windows 2000/XP Pro/2003
* Solaris 9 and 10
when you see the word 'Linux', drink!
What this all comes down to is our responsibilities as users and developers to the OSS products we use. Part of the idea behind open source is that the users contribute back to the project to better the project. You do not have to be a developer to do this, you can submit bug reports, help with graphics/web design, help with documentation, etc...
s there. These people have families, or at least need to feed themselves, and cannot put this amount of work into a product that is making others money while they may or may not be going through hardship themselves.
With the nessus project, yes there is community development, but the amount of contributed code was disproportionate to the long hard hours the core team has put in to it. I am not saying that community developers have done nothing, but a good example of what i mean is located http://www.nessus.org/plugins/index.php?view=newe
In the end, you get what you pay for. Whether it be MS Windows, FreeBSD, Linux, Nessus, whatever..... Either you pay in cash or make your contribution.
I will continue to use Nessus, it has saved my a** numerous times and will continue to do so for as long as it is a great product.
Ok - title makes it sound like a troll - or whatever. Fact is, these people have to make a living. Other fact is - a lot of people made a living of their work without giving ANYTHING back.
/. is soo much more important... *sigh* It's not your right to have access to someone's work, it's a privilege. If it's abused, too bad, but don't bitch about it when the rules change due to that...
As you can see on their CVS servers, there are barely any external contributions. Isn't that the whole point of GPL? Everybody profits from everybodies changes. That didn't happen, so YOU may be using Nessus 2.x without giving anything back. It's not a bad thing, but these people do this for their living. All the bitching about the moral of the whole GPL stuff, why isn't there any bitching about ripping off Nessus? It's the same thing for me as Cherry OS - which ripped off the wine project. The only difference was, the nessus rip-offs provided the source code, written by Tenable and were open about it. What's the difference? They openly say "I'm a parasite, and I admit it", and it's ok by the GPL, so no problem. I would not have a problem with it when those people contributed to the nessus project, and I'm a absolutely confident that it would still be GPL'd if this would have been the case - but it isn't. Sorry - if you make money out of a project like that, the least you could do is contribute in some way to it.
I think there's a huge difference between company-driven OSS programs, and "hobby" projects in this regard. If I would be the CEO or responsible for a company, and I suddenly see the profit go down because your biggest competitors are guys simply copying all your hard work, without giving anything back and having no development costs at all, I wouldn't hesitate for a second what to do. Do something that gives me the advantage back - and they did. Even legally, I would have to, simply to protect the rights of the share-holders, because that's the world we live in, not some kind of GPL fairy-tale.
Now it is forked, which is an old version which is 1 a 2 years behind the current Nessus release. If nobody contributed in the first project, do they really believe that anybody will contribute to the "GPL" fork? Maybe in the beginning, but when all the buzz is over, forget it. The project will be burried in a few years. Most companies like plug-and-play security-scanners, but paying someone to help writing one? Don't forget, Nessus isn't targettet at the hobbyist's network at home, but at large enterprise-size networks. This means, companies, not people who use and profit from it - either way. Why do you think there aren't any other large GPL'd network intrusion/monitoring systems? Because the geek with his 20 computer-network doesn't need a tool like Nessus, but companies do. GPL is about freedom for the people for me, companies are there to make money, and if they use a tool to ensure they can make money, I think it would be perfectly normal to charge them for it in some way. GPL doesn't provide anything like this, too bad, but I perfectly understand the decision they made, no hard feelings. If I'd be in their shoes, I'd do the same thing.
I also bet most of the ones bitching about it not being GPL anymore never contributed to any GPL project in some way. Stop critisizing, and start contributing to the GPL-fork, but no, prolly no-one will do it anyway, spending time posting bullshit on
Compare it to someone who makes doors for friends, they just need to pay the materials, he does the work for free cause he likes it. Then he sees that a lot of people he knows want doors. He still makes them for free, but charges something to install them. Suddenly other people go fetch doors he makes for free, and start charging for installing them also, but no-one offers to help him making the doors. Doesn't that sound plain wrong to you? To me it does... If he then starts charging for a new kind of doors which are more silent, but the old-ones would still be for free, would you bitch about it?
Peo
And that feature has been taken away. It is no requirement that the venodr keep offering that feature.
Like ClamAV and pf?
But apparently it's not acceptable for users to note among themselves that this feature, of which some feel is rather important, is now missing - with little fanfare.
1) there is a difference between "maintaining" and "developing".
2) the new version (which is where all active development will happen) changed its license; this was not mentioned in the advertisement appearing at the top of this page and is a pretty fucking significant omission.
3) you do not get any extra mod points by adding more asterisks.
in conclusion, stop pretending you are the internet police. you are doing a really shit job of it.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Every Sun Enterprise server I've ever dealt with has been a tremendous pile of shit.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
3rd parties wrap Nessus and resell it for tens of thousands of dollars? Why is that? Well, because Nessus sucks. It sucked when I started trying to make it work seven years ago, it sucks now.
3rd parties that wrap Nessus are still just putting lipstick on a pig. Under all that gloss, it still smells.
Why? One word: Renaud. "Affectionately" known as "Frenchey" around where I work, the guy has a reputation as being an arrogant ass who doesn't care one bit for helping the community, and a third rate programmer. We have him dozens of architectural design ideas, none of which he implemented well. The man's a joke, his "product" shows it.
Fuck Tenable, Nessus, and the horse they rode in on. And all you girlie-men that keep kissing their ass, defending their move. GPL -> Closed Source is ass-backwards in my view. I won't be using their tool anymore.