[Openvas-discuss] libnasl

Jan-Oliver Wagner jan-oliver.wagner at intevation.de
Tue Apr 3 08:34:09 CEST 2007


John,

Am Montag 02 April 2007 19:41 schrieb John Moser:
> Will OpenVAS continue to utilize Nessus libnasl from the Nessus open
> source client, and remain compatible with Nessus plug-ins?

OpenVAS must use its own libnasl. Unfortunately -- one reason is
that no OpenSSL exception has been expressed by Tenable for
libnasl.

> I believe 
> staying API-compatible with Nessus libnasl will be a strong move, as
> Tenable gives us a very good vulnerability plug-in stream.

It is intended to stay compatible. At least as along as it makes sense.

> It may be wise to work with Tenable to concoct an RFC for NASL.  A
> standardized Network Attack Script Language would allow other projects
> similar to this or Metasploit to take advantage of a standard method of
> creating attack scripts.  Consideration on extension of the language to
> support operation as Metasploit does may also prove interesting (i.e.
> have NASL support giving plug-ins hooks that allow connecting together a
> scan with an exploit, and an exploit with a payload; while scanning, a
> safe scan would not use an exploit and a more reliable scan would use an
> exploit connected to a payload that just ack'd back a message like
> "Attack Confirmed" and closed the connection).
>
> I am not sure how open Tenable will be to RFCing NASL.  They closed
> sourced Nessus because everyone else was slapping their name on it.

Is this the official rationale?

> Ideally, the Nessus subscription feed would give Tenable revenue;
> however, this didn't happen.  I don't know what to do about that... they
> have a business to run, they had obvious problems with what was
> happening, and we can't really fault them.  As an end-user, I don't want
> to lose Tenable as a valuable source of vulnerability scanning plug-ins.

Even if OpenVAS stays compatible with current NASL, AFAIU it is
not allowed to use other than GPL feed with anything else not downloaded
from the nessus.org web site. (I am currently offline but I think you can read
this in the contract for the direct feed).
So, actually you are not even allowed to use those feeds with e.g. a debian
package of nessus. Which in fact does not matter much because the Debian
package itself already violates the license (no OpenSSL exception for 
server) ;-)

Apart from that I have heard (I really haven't checked) that
Nessus3 uses some extended NASL which is only released as
binary under a proprietary license. If anyone could correct me on this,
I'd appreciate.

I am also quite sad that Teable did no make it to have revenues out of
Free Software based Nessus and Plugins. However, I think the
reasons are debatable. In fact, debates happened on some mailing lists.
Perhaps the OpenVAS project can work out a proof for such a Free Software
business model ... ? I'd welcome any voices about this :-)

Best

	Jan



More information about the Openvas-discuss mailing list