Nessus 3.0 Released

← Back to Stories (view on slashdot.org)

Posted by ScuttleMonkey on Monday December 12, 2005 @08:23PM from the now-vulnerable-to-consumer-aquisition dept.

duplo1 writes Tenable Security has announced the release of Nessus 3.0. Nessus is an enterprise level vulnerability scanner and this new version brings a complete rewrite of the Nessus engine redesigned for increased speed and efficiency running on the average, twice as fast as Nessus 2. From the release: "In addition to gaining dramatic improvements in performance, Tenable also provides an optional Direct Feed subscription service for Nessus 3.0 which provides immediate access to new vulnerability checks and entitles Nessus 3.0 users to commercial support from Tenable. The Tenable Plugins include support for a rating methodology called Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."

24 of 108 comments (clear)

Min score:

Reason:

Sort:

There's also the itsy bitsy license change... by Anonymous Coward · 2005-12-12 20:29 · Score: 5, Informative

You know, not GPL anymore. Did that escape you while writing the ad?
1. Re:There's also the itsy bitsy license change... by burns210 · 2005-12-12 22:29 · Score: 3, Informative
  
  Yea, they do actually. It is a revenue source for slashdot, paid stories. No kidding.
2. Re:There's also the itsy bitsy license change... by Mark+Round · 2005-12-12 22:58 · Score: 4, Interesting
  
  Which is a major PITA, as there's currently no download for anything other than x86 Linux/FreeBSD. I run Nessus on Solaris (I'm the maintainer for the Blastwave.org packages), and it is this ramification of the license change that I find most infuriating. It wouldn't perhaps be so bad if Tenable could guarantee that all platforms would have binaries available for them - but this means they're leaving a large section of their userbase out in the cold. And woe betide you if you're running anything they consider really obscure or not worth supporting. Here's to the continued development of the forked GPL version.
3. Re:There's also the itsy bitsy license change... by zerocool^ · 2005-12-13 01:31 · Score: 2, Interesting
  
  *sigh*
  
  Just get a $200 e-machine computer from best buy, wipe it, install ubuntu or whatever, and run the new nessus under x86 / linux. If you're worried about security or conformity of machines on your network, leave it turned off when not scanning. Or, boot off of a ubuntu or knoppix live cd and install nessus 3.0, configure it, and run it - save the config file to a thumbdrive for future runs - if you don't want to dedicate a computer to the task.
  
  While I agree that it would be nice to be able to run it under solaris natively, x86 computers are essentially commodity hardware now. I'd imagine in the time it took you to type this post on slashdot, you probably could have walked around the office and found a computer that wasn't being used for anything - I know I could have.
  
  ~W
  
  --
  sig?
4. Re:There's also the itsy bitsy license change... by Mark+Round · 2005-12-13 01:52 · Score: 4, Insightful
  
  And if I wanted to host this at our datacentre, in order to scan the systems on our network which is firewalled off from the outside world ? I'd then have to shell out for additional rack space, power, etc. Not to mention that in many environments "just bung a live CD into an x86 box" won't get past upper management ? Throwing additional hardware (even if it is "commodity" as you say) is hardly a great solution and only further encourages vendors to provide closed source solutions.
  
  Once the source is closed, your option of running software on the platform of your choice may be gone forever. You're then totally dependant on the developer to continue supporting your platform. You also, by extension, have to hope they never go out of business, especially if their product incorporates some sort of time-locked licensing. If they wake up one morning and decide that it's no longer economically viable to continue building their product for your platform, you're screwed. Never mind that you may have built your entire infrastructure around a certain technology, and it's not economically viable for you to jump ship to whatever the flavour of the month is; if you want to continue running closed source product X, you have to dance to the beat of the developers' drum.
5. Re:There's also the itsy bitsy license change... by millerjl · 2005-12-13 02:19 · Score: 2, Insightful
  
  According to the nessus.org site, OS X, Solaris, and Windows platforms are supported in early 2006. So for those of us who are currently running nessus on these platforms, we are now experiencing a minor inconvience. In the meantime, be patient and test the software out on linux. That way when it comes out on the platform you are already familiar with the changes and can implement them more effectively.
  
  --
  --- I never lie when I have sand in my shoes.
Nessus 3 no longer GPL by hunterx11 · 2005-12-12 20:30 · Score: 4, Informative

Worth mentioning (though it has already been covered here on /.) is that this is the first closed-source version.

--
English is easier said than done.
1. Re:Nessus 3 no longer GPL by barefootgenius · 2005-12-12 20:44 · Score: 5, Informative
  
  It has forked though. Here's their DokuWiki link
  
  http://www.openvas.org/doku.php?id=
  
  --
  /. bug #926803 - Why I can post.
Hindmost by Spy+Handler · 2005-12-12 20:30 · Score: 4, Funny

Nessus is an enterprise level vulnerability scanner
I thought he was Hindmost's lover :o
Now that Tenable is /.'d by Cherita+Chen · 2005-12-12 20:33 · Score: 3, Informative

You can find a mirror to the release here. Good luck trying to download though...
http://www.networkmirror.com/EA6knu7cjqyrJMp6/home .businesswire.com/portal/site/google/index.jsp%3Fn dmViewId%3Dnews_view%26newsId%3D20051212005715%26n ewsLang%3Den.html

--
I'm not fat, just big boned...
v3.0 Download? What Download? by perlionex · 2005-12-12 20:39 · Score: 3, Interesting

Nessus 3.0 is immediately available for download from Tenable...
Their website doesn't list 3.0 as being available for download, just the old 2.26. What's up?

--
Gan Family Homepage
Vulnerability shoots and scores by Neo-Rio-101 · 2005-12-12 20:58 · Score: 4, Insightful

Without trying to sound like spam, we're currently using a vulnerability checking system called "nCircle IP360" (yeah, knock off the Xbox jokes). This thing needs constant updates and upgrades in order to keep track of the numerous vulnerabilities out in the wild. The thing even detects a Commodore 64 with ethernet cartridge as a recognized operating system! It too, gives each server it tests a vulnerability score.

Thing is, when you're talking about constantly updated files for vulnerabilities, we're delving into the realm of virus-scanners and ad-ware scanners. There's gold in those downloadable updates people. Makes sense to me why Nessus is no longer open sourcing their new stuff.

--
READY.
PRINT ""+-0
Enterprise level ? by ultranova · 2005-12-12 21:35 · Score: 2, Funny

Does being an "Enterprise level vulnerability scanner" mean that it can be used to figure out how to remotely shut down the Klingon cloaking device or make a Borg cube self-destruct ?-)

--
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Yeah, but there's also... by hug_the_penguin · 2005-12-12 21:51 · Score: 5, Interesting

...the fact it's majorly improved. Of the people here, most of them won't care that it's closed source, purely because of the reason they closed the source. If it hadn't been for rebranding issues, (IMO a fault with the GPL), nessus would still be open source. It's still the best there is, people will still use it.
Not everyone will avoid anything that isn't free/libre, especially if the quality is good. The free software community brought it upon themselves by not helping out and in the case of the rebranders, for stealing all sources of revenue nessus had when GPL. 100 hour weeks hacking on code don't come for free, you know. We'd all prefer it to be free, but it's not essential

--
~HTP~ Hug that tux ;)
1. Re:Yeah, but there's also... by Anonymous Coward · 2005-12-12 22:06 · Score: 2, Interesting
  
  > Not everyone will avoid anything that isn't free/libre, especially if the quality is good.
  
  For security related software???
2. Re:Yeah, but there's also... by seifried · 2005-12-12 22:20 · Score: 5, Informative
  
  "Do you mean to tell me that the Nessus team found every vuln themselves and then coded an exploit to check for such vuln?"
  
  In a nutshell yes. They don't actually find all the vulnerabilities themselves, for that you can simply check the CVE database/etc. However as far as writing the plugins to check for the actual flaw/etc most of those were written by the core team, very few have been contributed by outsiders. Basically Nessus loses almost no outside development in moving to a closed source model, one of the biggest reasons to open source something (gain outside developers).
3. Re:Yeah, but there's also... by Kjella · 2005-12-12 23:49 · Score: 3, Insightful
  
  If it hadn't been for rebranding issues, (IMO a fault with the GPL), nessus would still be open source.
  
  If your OSS business model relies on someone else not slapping their logo on it and selling it, then you have the wrong business model. It is not a fault with the GPL, and I'd be very worried if the GPL started making demands on when or if you could fork a project. I can sell "Mynix computers with Mohawk web server, YourSQL database and MyHP scripting language" (= LAMP) any day of the week, I doubt anyone would buy it. As long as the rebranders were respecting the GPL, it is Nessus' fault for not getting through to their customers about who is the source of this tool, and whom to support if they want it to continue. If you can't make any money other than on product sale, perhaps OSS is not for you. I'd much rather accept that than to see the GPL expand to become something like a "look, but don't touch" model.
  
  --
  Live today, because you never know what tomorrow brings
4. Re:Yeah, but there's also... by hug_the_penguin · 2005-12-13 00:37 · Score: 2, Insightful
  
  Except for the license, which apparently took a major step backwards.
  So it's crap because of the licence? I don't buy that
  You have no idea. Likely, people who don't regard open and free licenses as important are reading cnet etc. anyway, not slashdot.
  I regard them as a nicety, not an essential. End of the day, I want the best security across my servers, and I'd rather accept a closed source nessus with superior detection than an open source gnessus with inferior detection. (Of course if Gnessus takes off and becomes better, great stuff, I'd prefer that).
  Which is? The two page press release said nothing.
  It did say they were gaining very little benefit from being open source, very little code had been contributed, and when it happened, i remember reading it was about rebranding.
  Wrong. They chose the license and if they wanted they could've had a variant of GPL with whatever branding exceptions they wanted.
  When you go into making a product like this, you like to keep the nature of free software open, you don't go about assuming that people will take your product and rebrand it, thereby stealing your custom
  Except for the license.
  I won't, I'll be using the forked open source version.
  
  So you're willing to settle for inferior security for the sake of a licence? A nicety only, security is the most important thing to their systems, you can't afford to skimp based on licence.
  The license is part of the feature set of the program. Different people regard different features as important. Some people regard a quality license as important. No surprises there.
  Naturally people will see different features as important, but i would say it was safe to assume that in security, effectivemess at creating security is the best thing, and so nessus would win out over gnessus. Of course I'm here purely thinking from the point of view that I want my servers to stay standing for the forseeable future...
  I don't know the situation but just as likely it's Nessus' fault for not controlling their brand with the appropriate license, open or closed, and/or providing a service that consumers would prefer over the rebranders.
  What can you provide to a free/beer product that makes it more valuable than rebrands? You can't pull closed source here because you're claiming the main fault with nessus is it's closed source. As for another open source licence, I agree this should have been done in the first place, but c'est la vie.
  More likely Nessus is going closed source because they've got mindshare now and they think they can make more money closed source. It's happened before. Open source for them was simply a loss leader to get free advertising.
  It would be interesting to take a look at their accounts and find out if this is indeed true.
  Sometimes it does, sometimes it doesn't. There are many motivations besides money for creating code and with 6,500,000,000+ people in the world all it takes is 0.0001% coding to get something happening.
  Yes, but there is the small fact of having to live, and 100 hours a week is hard to fit around a job providing sufficient income to live.
  Depends on the individual and whether they regard an open license as a negative, unimportant, important or essential.
  Very few people would be in the negative group, and i would say it's about a 45 each on unimportant and important. Not so many regard it as essential, like you might think. There are those groups who would sacrifice security for openness, however, but they are the minority.
  
  --
  ~HTP~ Hug that tux ;)
5. Re:Yeah, but there's also... by Just+Some+Guy · 2005-12-13 03:58 · Score: 2, Insightful
  
  Not everyone will avoid anything that isn't free/libre, especially if the quality is good.
  You're probably right. Only the terminally paranoid will refuse to run a closed source vulnerability finder on their network.
  Then again, the terminally paranoid are pretty much the only audience for this software. People with trusting natures don't tend to become security auditors in the first place, and even if they do, they don't tend to make a career out of it (mainly because they lack the mindset to be truly great at it).
  
  --
  Dewey, what part of this looks like authorities should be involved?
To be fair... by victorhooi · 2005-12-12 22:10 · Score: 4, Insightful

Guys, lay off the slagging, ok?

I mean, seriously, it's been GPL all these years, the developers were putting in the hours and the hard work (And don't give me that c*ap about community contributions, because in relative terms, there wasn't really any).

And they were suffering because people were essentially taking their work and simply rebranding it and selling it as their own. Isn't it only fair that Tenable themselves should now have the opportunity to sell what is, after all predominantly their work?

I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is for doing what any reasonable person would have done. It's a wonder that Tenable put up with all the other companies selling their work for as long as they did.

Also, guys, lay off the whole "haha, we slash-dotted your server" cracks..I mean, what can possible stand before the might of /., huh? Sun, eBay, Amazon, all of these petty masses shall cower before us, for we shall crush them under teh (sic) boot of our T1 1337-ness....

cya,
Victor
Re:Security Software by hug_the_penguin · 2005-12-12 22:15 · Score: 2, Interesting

Traditionally people have trusted closed source antiviruses and firewalls...

--
~HTP~ Hug that tux ;)
***RTFA*** by sczimme · 2005-12-12 23:40 · Score: 2, Informative

You know, not GPL anymore. Did that escape you while writing the ad?

From TFA:

Nessus 3.0 was developed in response to growing market demand from enterprises, government agencies and consultants for a commercially licensed version of Nessus. Nessus 3.0 users will now have access to a number of commercial support and training options from Tenable Network Security. Tenable Network Security will continue to manage, distribute and maintain the open source version, Nessus 2.x. (emphasis mine)

Did that escape you while you were writing your kneejerk response? Of course it did: you couldn't be bothered to read the FIRST PARAGRAPH of the article.

--
I want to drag this out as long as possible. Bring me my protractor.
Really Lousy Use of Security Lexicon by Alexander · 2005-12-13 00:40 · Score: 2, Insightful

(Sorry for the following soapbox, but I'm really tired of the profession using terms interchangably)

"Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."

1.) Outside of a box infected by a Worm, how can it find a threat?

Does it actually track down the human or natural threats?

2.) How does it find "vulnerabilities"? Does it understand the capabilities of the threat source? Make an intuitive judgement on how skilled the attacker is? How does it measure the strengths of surrounding controls that mitigate the vulnerability?

3.) How does it measure criticality? It instincitively knows that the IIS vuln. on the intranet blog is less critical than the same IIS vuln. on an e-commerce app?

Perhaps what they mean is that the scanner finds weaknesses, and that the CVSS really makes an educated guess as to the *level of effort* it would require to exploit that weakness by what is in their mind the average attacker.

Oh, well, at least they aren't claiming to find "risk".

--
"oohhh... I didn't know Schopenhauer was a philosopher!" ..."uhhh yeah, he's the one that begins with
GPL bullshit by packman · 2005-12-13 04:10 · Score: 2, Insightful

Ok - title makes it sound like a troll - or whatever. Fact is, these people have to make a living. Other fact is - a lot of people made a living of their work without giving ANYTHING back.

As you can see on their CVS servers, there are barely any external contributions. Isn't that the whole point of GPL? Everybody profits from everybodies changes. That didn't happen, so YOU may be using Nessus 2.x without giving anything back. It's not a bad thing, but these people do this for their living. All the bitching about the moral of the whole GPL stuff, why isn't there any bitching about ripping off Nessus? It's the same thing for me as Cherry OS - which ripped off the wine project. The only difference was, the nessus rip-offs provided the source code, written by Tenable and were open about it. What's the difference? They openly say "I'm a parasite, and I admit it", and it's ok by the GPL, so no problem. I would not have a problem with it when those people contributed to the nessus project, and I'm a absolutely confident that it would still be GPL'd if this would have been the case - but it isn't. Sorry - if you make money out of a project like that, the least you could do is contribute in some way to it.

I think there's a huge difference between company-driven OSS programs, and "hobby" projects in this regard. If I would be the CEO or responsible for a company, and I suddenly see the profit go down because your biggest competitors are guys simply copying all your hard work, without giving anything back and having no development costs at all, I wouldn't hesitate for a second what to do. Do something that gives me the advantage back - and they did. Even legally, I would have to, simply to protect the rights of the share-holders, because that's the world we live in, not some kind of GPL fairy-tale.

Now it is forked, which is an old version which is 1 a 2 years behind the current Nessus release. If nobody contributed in the first project, do they really believe that anybody will contribute to the "GPL" fork? Maybe in the beginning, but when all the buzz is over, forget it. The project will be burried in a few years. Most companies like plug-and-play security-scanners, but paying someone to help writing one? Don't forget, Nessus isn't targettet at the hobbyist's network at home, but at large enterprise-size networks. This means, companies, not people who use and profit from it - either way. Why do you think there aren't any other large GPL'd network intrusion/monitoring systems? Because the geek with his 20 computer-network doesn't need a tool like Nessus, but companies do. GPL is about freedom for the people for me, companies are there to make money, and if they use a tool to ensure they can make money, I think it would be perfectly normal to charge them for it in some way. GPL doesn't provide anything like this, too bad, but I perfectly understand the decision they made, no hard feelings. If I'd be in their shoes, I'd do the same thing.

I also bet most of the ones bitching about it not being GPL anymore never contributed to any GPL project in some way. Stop critisizing, and start contributing to the GPL-fork, but no, prolly no-one will do it anyway, spending time posting bullshit on /. is soo much more important... *sigh* It's not your right to have access to someone's work, it's a privilege. If it's abused, too bad, but don't bitch about it when the rules change due to that...

Compare it to someone who makes doors for friends, they just need to pay the materials, he does the work for free cause he likes it. Then he sees that a lot of people he knows want doors. He still makes them for free, but charges something to install them. Suddenly other people go fetch doors he makes for free, and start charging for installing them also, but no-one offers to help him making the doors. Doesn't that sound plain wrong to you? To me it does... If he then starts charging for a new kind of doors which are more silent, but the old-ones would still be for free, would you bitch about it?
Peo