From shawnduffy at gmail.com Fri May 1 17:17:34 2009 From: shawnduffy at gmail.com (Shawn Duffy) Date: Fri, 1 May 2009 11:17:34 -0400 Subject: [Openvas-discuss] Definitive list of client preferences Message-ID: <83386960905010817mbdb9d1el3b515e379daf7c1e@mail.gmail.com> As I've mentioned before, I'm in the process of developing a web frontend to OpenVAS. I'm currently working on building custom scan templates and profiles. In order to do so, I need to be able to store client preferences in the database. But I can't seem to find a definitive list of the available client preferences. There is a list in the OTP docs but it doesn't appear to be complete: http://www.openvas.org/compendium/otp-preferences.html Is there a definitive list somewhere of all the possible preferences a client could send to the server? Thanks! Shawn From lists at securityspace.com Fri May 1 21:12:32 2009 From: lists at securityspace.com (Thomas Reinke) Date: Fri, 01 May 2009 15:12:32 -0400 Subject: [Openvas-discuss] Definitive list of client preferences In-Reply-To: <83386960905010817mbdb9d1el3b515e379daf7c1e@mail.gmail.com> References: <83386960905010817mbdb9d1el3b515e379daf7c1e@mail.gmail.com> Message-ID: <49FB49A0.90600@securityspace.com> The definitive list is subject to change from time to time. While not encouraged due to UI bloat, any NASL script can define a preference that the UI is then supposed to display and allow input on. To see them all, simply go to the plugins directory and enter $find -exec grep -H script_add_pref \{\} \; Thomas Shawn Duffy wrote: > As I've mentioned before, I'm in the process of developing a web > frontend to OpenVAS. I'm currently working on building custom scan > templates and profiles. In order to do so, I need to be able to store > client preferences in the database. But I can't seem to find a > definitive list of the available client preferences. There is a list > in the OTP docs but it doesn't appear to be complete: > > http://www.openvas.org/compendium/otp-preferences.html > > Is there a definitive list somewhere of all the possible preferences a > client could send to the server? > > Thanks! > Shawn > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > From relinon at web.de Sun May 3 18:24:05 2009 From: relinon at web.de (Lazar Todorovic) Date: Sun, 03 May 2009 18:24:05 +0200 Subject: [Openvas-discuss] invalid SEND_PLUGINS_MD5 response Message-ID: <615546013@web.de> whenever i try to connect to my server i get "invalid SEND_PLUGINS_MD5 response from server". what should i do? __________________________________________________________________________ Verschicken Sie SMS direkt vom Postfach aus - in alle deutschen und viele ausl?ndische Netze zum gleichen Preis! https://produkte.web.de/webde_sms/sms From jan-oliver.wagner at intevation.de Sun May 3 21:33:22 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Sun, 3 May 2009 21:33:22 +0200 Subject: [Openvas-discuss] invalid SEND_PLUGINS_MD5 response In-Reply-To: <615546013@web.de> References: <615546013@web.de> Message-ID: <200905032133.22985.jan-oliver.wagner@intevation.de> On Sunday 03 May 2009 18:24:05 Lazar Todorovic wrote: > whenever i try to connect to my server i get "invalid SEND_PLUGINS_MD5 > response from server". what should i do? which server versions (modules -libraries, -libnasl, -server, -plugins) of the modules and which client version are you using? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From ekah at gmx.net Mon May 4 11:12:06 2009 From: ekah at gmx.net (Joerg Eckert) Date: Mon, 04 May 2009 11:12:06 +0200 Subject: [Openvas-discuss] ssh-check is always on Message-ID: <20090504091206.97060@gmx.net> Hello to all of you I have installed the newest openvas version and use the new linux client. If i want to check a target i always receive in the report included a ssh check. I dont want this, but i dont know where i could switch this off. Its not important if i only scan for explicit ports (all other stuff switched off (general, plugins, prefs) or if i do for example a conficker scan. I receive a report but always with additional ssh (22/tcp) included line. Please can you help me? If you need more information please tell me what you need. regards Joerg ps.: sorry for my english (my german is better :-) -- Psssst! Schon vom neuen GMX MultiMessenger geh?rt? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger01 From felix.wolfsteller at intevation.de Mon May 4 12:41:58 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Mon, 4 May 2009 12:41:58 +0200 Subject: [Openvas-discuss] ssh-check is always on In-Reply-To: <20090504091206.97060@gmx.net> References: <20090504091206.97060@gmx.net> Message-ID: <200905041241.58660.felix.wolfsteller@intevation.de> Hi Joerg Might have to do with the selected port scanner (in the Options/General tab). Eventually it ignores the selection you provided. Is there a message displayed if you select the 'ssh (22/tcp) ' item in the report? -- felix On Monday 04 May 2009 11:12:06 Joerg Eckert wrote: > Hello to all of you > > I have installed the newest openvas version and use the new linux client. > If i want to check a target i always receive in the report included a ssh > check. I dont want this, but i dont know where i could switch this off. > > Its not important if i only scan for explicit ports (all other stuff > switched off (general, plugins, prefs) or if i do for example a conficker > scan. > > I receive a report but always with additional ssh (22/tcp) included line. > > Please can you help me? > > If you need more information please tell me what you need. > > regards > > Joerg > > ps.: sorry for my english (my german is better :-) -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Mon May 4 12:52:33 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 4 May 2009 12:52:33 +0200 Subject: [Openvas-discuss] OpenVAS this week at DORS/CLUC 2009 in Zagreb, Croatia Message-ID: <200905041252.35841.jan-oliver.wagner@intevation.de> Hallo, I know it is very late info: I will give some presentations about OpenVAS at the main Linux/Free Software event of Croatia, DORS/CLUC 2009 ( http://www.open.hr/dc2009/ ). I guess all croatian people here are already aware of this event ;-) However, the presentations are in english language, so it addresses a broad audience. All the best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Mon May 4 13:15:58 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Mon, 4 May 2009 16:45:58 +0530 Subject: [Openvas-discuss] ssh-check is always on In-Reply-To: <200905041241.58660.felix.wolfsteller@intevation.de> References: <20090504091206.97060@gmx.net> <200905041241.58660.felix.wolfsteller@intevation.de> Message-ID: <82E45D820ACE42F1A3F5D30B4D888E5B@bchandra> Joerg, By default, OpenVAS identifies all open ports and the corresponding services attached (plugin find_service.nes). In case you want these messages not to appear, select "Silent" in "Plugins" section. Thanks, Chandra. -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Felix Wolfsteller Sent: Monday, May 04, 2009 4:12 PM To: openvas-discuss at wald.intevation.org Cc: Joerg Eckert Subject: Re: [Openvas-discuss] ssh-check is always on Hi Joerg Might have to do with the selected port scanner (in the Options/General tab). Eventually it ignores the selection you provided. Is there a message displayed if you select the 'ssh (22/tcp) ' item in the report? -- felix On Monday 04 May 2009 11:12:06 Joerg Eckert wrote: > Hello to all of you > > I have installed the newest openvas version and use the new linux client. > If i want to check a target i always receive in the report included a ssh > check. I dont want this, but i dont know where i could switch this off. > > Its not important if i only scan for explicit ports (all other stuff > switched off (general, plugins, prefs) or if i do for example a conficker > scan. > > I receive a report but always with additional ssh (22/tcp) included line. > > Please can you help me? > > If you need more information please tell me what you need. > > regards > > Joerg > > ps.: sorry for my english (my german is better :-) -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From felix.wolfsteller at intevation.de Mon May 4 14:02:45 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Mon, 4 May 2009 14:02:45 +0200 Subject: [Openvas-discuss] Fwd: Re: ssh-check is always on Message-ID: <200905041402.45293.felix.wolfsteller@intevation.de> Hi Joerg Could you turn off "Dependencies: Enable at runtime" in the plugin view (where 0 plugins are enabled)? Also switch off "Silent" if that was not yet the case. The SSH authorization script should indeed only be executed if you have selected a script that depends on/includes it. You can increase the verbosity of the openvasd.dump / openvasd.message files in your openvasd.conf (enable anything with "logging"). When you did so and restarted the server, it should be possible to tell which plugin causes ssh_authorization.nasl to attempt a ssh connection to the target (in openvasd.messages). Be sure to close the connection from client in between. -- felix On Monday 04 May 2009 13:46:58 you wrote: > Hi Felix > > If i open the report there is a light bulp and if i click on it there is > the following information: > > ------- > > Reported by NVT "SSH Authorization" (1.3.6.1.4.1.25623.1.0.90022): > > It was not possible to login using the SSH credentials supplied. Hence > local security checks is not enabled. > > ------- > > But, i dont want to check for SSH. And i couldnt find any hint where i > implemented such a check. The plugins are all disabled (double checked > now). 0 enabled. > Target = 1 target, nothing special > On general tab there is: Optimize test and Safe checks on. > I scan for port range: 445,8081,9593, 9595 > > I tried portscanning with different portscanners (nmap, openvas etcpp). I > also have a task for conficker only. But everytime it want to check for SSH > and i can see this in the report. Its everytime the same result. > > regards Joerg > > > > -------- Original-Nachricht -------- > > > Datum: Mon, 4 May 2009 12:41:58 +0200 > > Von: Felix Wolfsteller > > An: openvas-discuss at wald.intevation.org > > CC: "Joerg Eckert" > > Betreff: Re: [Openvas-discuss] ssh-check is always on > > > > Hi Joerg > > Might have to do with the selected port scanner (in the Options/General > > tab). > > Eventually it ignores the selection you provided. > > Is there a message displayed if you select the 'ssh (22/tcp) ' item in > > the report? > > > > -- felix > > > > On Monday 04 May 2009 11:12:06 Joerg Eckert wrote: > > > Hello to all of you > > > > > > I have installed the newest openvas version and use the new linux > > > > client. > > > > > If i want to check a target i always receive in the report included a > > > > ssh > > > > > check. I dont want this, but i dont know where i could switch this off. > > > > > > Its not important if i only scan for explicit ports (all other stuff > > > switched off (general, plugins, prefs) or if i do for example a > > > > conficker > > > > > scan. > > > > > > I receive a report but always with additional ssh (22/tcp) included > > > > line. > > > > > Please can you help me? > > > > > > If you need more information please tell me what you need. > > > > > > regards > > > > > > Joerg > > > > > > ps.: sorry for my english (my german is better :-) > > > > -- > > Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ > > PGP Key: 39DE0100 > > Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B > > 18998 > > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ------------------------------------------------------- -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From relinon at web.de Mon May 4 20:54:38 2009 From: relinon at web.de (Lazar Todorovic) Date: Mon, 04 May 2009 20:54:38 +0200 Subject: [Openvas-discuss] invalid SEND_PLUGINS_MD5 response Message-ID: <616911876@web.de> > which server versions (modules -libraries, -libnasl, -server, -plugins) > of the modules and which client version are you using? The Ubuntu Jaunty packages - that means 2.0.0 build 2 for everything exept the client (which ist 1.0.4 build 1). Most likely I have caused the problem by installing the openvas-plugin source package from your website, since Ubuntu doesn't seem to offer it (and I don't know any sensible possibility of NOT using it, since the openvas-nvt-sync script is also there). Thanks for your fast answer :-) ______________________________________________________ GRATIS f?r alle WEB.DE-Nutzer: Die maxdome Movie-FLAT! Jetzt freischalten unter http://movieflat.web.de From michael.wiegand at intevation.de Tue May 5 08:02:35 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Tue, 5 May 2009 08:02:35 +0200 Subject: [Openvas-discuss] invalid SEND_PLUGINS_MD5 response In-Reply-To: <616911876@web.de> References: <616911876@web.de> Message-ID: <20090505060235.GA31042@intevation.de> * Lazar Todorovic [ 4. May 2009]: > > which server versions (modules -libraries, -libnasl, -server, -plugins) > > of the modules and which client version are you using? > > The Ubuntu Jaunty packages - that means 2.0.0 build 2 for everything > exept the client (which ist 1.0.4 build 1). Most likely I have caused > the problem by installing the openvas-plugin source package from your > website, since Ubuntu doesn't seem to offer it (and I don't know any > sensible possibility of NOT using it, since the openvas-nvt-sync > script is also there). Thanks for your fast answer :-) Please do note that the 1.0.x client is *NOT* compatible with the 2.0.x server. This might cause your issue. Debian packages for all modules are available from apt.intevation.org, they should work for Jaunty as well. Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090505/87dc0734/attachment.pgp From jan-oliver.wagner at intevation.de Tue May 5 07:24:10 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Tue, 5 May 2009 07:24:10 +0200 Subject: [Openvas-discuss] invalid SEND_PLUGINS_MD5 response In-Reply-To: <616911876@web.de> References: <616911876@web.de> Message-ID: <200905050724.10838.jan-oliver.wagner@intevation.de> On Monday 04 May 2009 20:54:38 Lazar Todorovic wrote: > > which server versions (modules -libraries, -libnasl, -server, -plugins) > > of the modules and which client version are you using? > > The Ubuntu Jaunty packages - that means 2.0.0 build 2 for everything exept > the client (which ist 1.0.4 build 1). Client 1.x is not compatible with server 2.x. > Most likely I have caused the problem > by installing the openvas-plugin source package from your website, since > Ubuntu doesn't seem to offer it (and I don't know any sensible possibility > of NOT using it, since the openvas-nvt-sync script is also there). Thanks > for your fast answer :-) A moderately new version of openvas-plugins should not do any harm. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From michael.wiegand at intevation.de Tue May 5 14:27:08 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Tue, 5 May 2009 14:27:08 +0200 Subject: [Openvas-discuss] invalid SEND_PLUGINS_MD5 response In-Reply-To: <200905050724.10838.jan-oliver.wagner@intevation.de> References: <616911876@web.de> <200905050724.10838.jan-oliver.wagner@intevation.de> Message-ID: <20090505122708.GE31042@intevation.de> > > Most likely I have caused the problem > > by installing the openvas-plugin source package from your website, since > > Ubuntu doesn't seem to offer it (and I don't know any sensible possibility > > of NOT using it, since the openvas-nvt-sync script is also there). Thanks > > for your fast answer :-) > > A moderately new version of openvas-plugins should not do any harm. A small correction: The openvas-plugins 1.0.6 tarball contained a buggy NASL script. If you did not do an openvas-nvt-sync before the first server start, this might have corrupted both the server and the client cache. Solution for this case: Stop server and client, delete both caches, restart server. Hope that helped. Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090505/5f81e816/attachment.pgp From felix.wolfsteller at intevation.de Wed May 6 09:43:14 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Wed, 6 May 2009 09:43:14 +0200 Subject: [Openvas-discuss] ssh-check is always on In-Reply-To: <200905041241.58660.felix.wolfsteller@intevation.de> References: <20090504091206.97060@gmx.net> <200905041241.58660.felix.wolfsteller@intevation.de> Message-ID: <200905060943.14285.felix.wolfsteller@intevation.de> (Joergs mails didnt make it to openvas-discuss, I forward them) "Joerg Eckert" wrote: Hello > Could you turn off "Dependencies: Enable at runtime" in the plugin view > (where > 0 plugins are enabled)? Also switch off "Silent" if that was not yet the > case. Done for both (already done, only checked). > The SSH authorization script should indeed only be executed if you have > selected a script that depends on/includes it. ok, so we have to search for this problem. (remark: with my vmware-installation i have this problem too, and they are installed independently and not copied) > You can increase the verbosity of the openvasd.dump / openvasd.message > files > in your openvasd.conf (enable anything with "logging"). ok, there is not much of logging. openvasd.dump= SSH-DEBUG: Not setting login information for local check at x.x.x.x : No mapping found [16686]//usr/lib/openvas/plugins/hydra_options.nasl) script_get_preference_file_location: could not get local file name from preference Passwords file : openvasd.messages= [Mon May ?4 15:44:19 2009][16671] user Eckert starts a new scan. Target(s) : 10.200.126.6, with max_hosts = 20 and max_checks = 6 [Mon May ?4 15:44:19 2009][16671] user Eckert : testing (x.x.x.x) [16676] [Mon May ?4 15:44:19 2009][16676] shared_socket: Secret/SSH/socket is unknown [Mon May ?4 15:44:19 2009][16676] process_internal_msg for ssh_authorization.nasl returned -1 [Mon May ?4 15:44:29 2009][16676] Finished testing x.x.x.x. Time : 10.22 secs [Mon May ?4 15:44:29 2009][16671] user Eckert : test complete [Mon May ?4 15:44:29 2009][16671] Total time to scan all hosts : 10 seconds [Mon May ?4 15:44:29 2009][16671] user Eckert : Kept alive connection i used the newest client and server i can get from atomic. Running CentOS here. Client runs on the same machine (dont have a win client). Is there any other config i can check? some debug i can configure? (yes, server and client always restarted after config changes) regards Joerg -- Neu: ------------------------------------EMAIL2---------------------------------------- Von: ??? "Joerg Eckert" An:?????openvas-discuss at wald.intevation.org Betreff:????????Re: RE: [Openvas-discuss] ssh-check is always on Datum:??Mon, 04. May 2009 13:51:48 +0200 Hello I wrote (unfortunately) directly to Felix (sorry for that): If i open the report there is a light bulp and if i click on it there is the following information: ------- Reported by NVT "SSH Authorization" (1.3.6.1.4.1.25623.1.0.90022): It was not possible to login using the SSH credentials supplied. Hence local security checks is not enabled. ------- But, i dont want to check for SSH. And i couldnt find any hint where i implemented such a check. -> The plugins are all disabled (double checked now). 0 enabled. Target = 1 target, nothing special On general tab there is: Optimize test and Safe checks on. I scan for port range: 445,8081,9593, 9595 I tried portscanning with different portscanners (nmap, openvas etcpp). I also have a task for conficker only. But everytime it want to check for SSH and i can see this in the report. Its everytime the same result. regards Joerg Ive checked with and without selected silent - no difference. -------- Original-Nachricht -------- > Datum: Mon, 4 May 2009 16:45:58 +0530 > Von: "Chandrashekhar B" > An: "\'Felix Wolfsteller\'" , openvas-discuss at wald.intevation.org > CC: "\'Joerg Eckert\'" > Betreff: RE: [Openvas-discuss] ssh-check is always on > Joerg, > > By default, OpenVAS identifies all open ports and the corresponding > services > attached (plugin find_service.nes). In case you want these messages not to > appear, select "Silent" in "Plugins" section. > > Thanks, > Chandra. > > -----Original Message----- > From: openvas-discuss-bounces at wald.intevation.org > [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Felix > Wolfsteller > Sent: Monday, May 04, 2009 4:12 PM > To: openvas-discuss at wald.intevation.org > Cc: Joerg Eckert > Subject: Re: [Openvas-discuss] ssh-check is always on > > Hi Joerg > Might have to do with the selected port scanner (in the Options/General > tab). > Eventually it ignores the selection you provided. > Is there a message displayed if you select the 'ssh (22/tcp) ' item in the > report? > > -- felix > > On Monday 04 May 2009 11:12:06 Joerg Eckert wrote: > > Hello to all of you > > > > I have installed the newest openvas version and use the new linux > client. > > If i want to check a target i always receive in the report included a > ssh > > check. I dont want this, but i dont know where i could switch this off. > > > > Its not important if i only scan for explicit ports (all other stuff > > switched off (general, plugins, prefs) or if i do for example a > conficker > > scan. > > > > I receive a report but always with additional ssh (22/tcp) included > line. > > > > Please can you help me? > > > > If you need more information please tell me what you need. > > > > regards > > > > Joerg > > > > ps.: sorry for my english (my german is better :-) > -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From felix.wolfsteller at intevation.de Wed May 6 09:43:52 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Wed, 6 May 2009 09:43:52 +0200 Subject: [Openvas-discuss] ssh-check is always on In-Reply-To: <200905060943.14285.felix.wolfsteller@intevation.de> References: <20090504091206.97060@gmx.net> <200905041241.58660.felix.wolfsteller@intevation.de> <200905060943.14285.felix.wolfsteller@intevation.de> Message-ID: <200905060943.52143.felix.wolfsteller@intevation.de> On Wednesday 06 May 2009 09:29:06 Joerg Eckert wrote: > Hello > > > Could you turn off "Dependencies: Enable at runtime" in the plugin view > > (where > > 0 plugins are enabled)? Also switch off "Silent" if that was not yet the > > case. > > Done for both (already done, only checked). It was just an intuition of mine. > > The SSH authorization script should indeed only be executed if you have > > selected a script that depends on/includes it. Recently the mechanism of socket acquisition for local checks that use ssh was changed. That change became nessecary because problems with parallel scans were observed. The change included the acquisition of a ssh socket (chandra: correct me if i am wrong) in a very early phase of a scan ('ACT_INIT'). You do not have any control over this from client side. For now, all I see that you could do is to delete/move ssh_authorization.nasl from your servers plugin directory. If ssh_authorization indeed tries to bind the socket directly, we will have to change that. -- felix -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From dcorcuera at dimartel.es Thu May 7 15:43:00 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Thu, 07 May 2009 15:43:00 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? Message-ID: <4A02E564.4040807@dimartel.es> Hi, I am new with OpenVAS and still testing it. So perhaps, i am asking something silly. I've installed OpenVAS from debian package in etch and ran my first scan against an internal host. Results: 4 security holes. Two of them are on mysql and other two on CUPS. My debian etch has mysql 5.0.32-7etch10 and cupsys 1.2.7-4etch7 (last official etch packages) According to OpenVAS report, i should have installed mysql 5.0.66 and cupsys 1.3.10, but my versions also fix all these vulnerabilities. What is wrong with this? Any idea? Here you have OpenVAS reports Thanks in advance dav . Vulnerability found on port mysql (3306/tcp) : Overview : This host is running MySQL, which is prone to Denial of Service Vulnerability. Vulnerability Insight : Issue is due to error while processing an empty bit string literal via a specially crafted SQL statement. Impact : Successful exploitation by remote attackers could cause denying access to legitimate users. Impact Level : Application Affected Software/OS : MySQL versions prior to 5.0.x - 5.0.66, 5.1.x - 5.1.26, and 6.0.x - 6.0.5 on all running platform. Fix : Update to version 5.0.66 or 5.1.26 or 6.0.6 or later. CVSS Score : CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C) CVSS Temporal Score : 5.6 Risk factor : High CVE : CVE-2008-3963 BID : 31081 . Vulnerability found on port mysql (3306/tcp) : Overview: According to its version number, the remote version of MySQL is prone to a security-bypass vulnerability. An attacker can exploit this issue to gain access to table files created by other users, bypassing certain security restrictions. NOTE 1: This issue was also assigned CVE-2008-4097 because CVE-2008-2079 was incompletely fixed, allowing symlink attacks. NOTE 2: CVE-2008-4098 was assigned because fixes for the vector described in CVE-2008-4097 can also be bypassed. This issue affects versions prior to MySQL 4 (prior to 4.1.24) and MySQL 5 (prior to 5.0.60). Solution: Updates are available. Update to newer Version. See also: http://www.securityfocus.com/bid/29106 Risk factor : Medium CVE : CVE-2008-2079, CVE-2008-4097, CVE-2008-4098 BID : 29106 . Vulnerability found on port ipp (631/tcp) : Overview: This host is running CUPS (Common UNIX Printing System) Service, which is prone to Buffer Overflow and Integer Overflow Vulnerabilities. Vulnerability Insight: The flaws are caused due to, - an error in the implementation of the HP-GL/2 filter and can be exploited to cause buffer overflows with HP-GL/2 files containing overly large pen numbers. - an error within the read_rle8() and read_rle16() functions when parsing malformed Run Length Encoded(RLE) data within Silicon Graphics Image(SGI) files and can exploited to cause heap-based buffer overflow with a specially crafted SGI file. - an error within the WriteProlog() function included in the texttops utility and can be exploited to cause a heap-based buffer overflow with specially crafted file. Impact: Successful exploitation allows remote attackers to execute arbitrary code or compromise a vulnerable system. Impact Level: System Affected Software/OS: CUPS versions prior to 1.3.9 Fix: Upgrade to CUPS version 1.3.9 http://www.cups.org/software.php References: http://cups.org/articles.php?L575 http://secunia.com/advisories/32226/ http://www.frsirt.com/english/advisories/2008/2782/ CVSS Score: CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C) CVSS Temporal Score : 6.9 Risk factor: High CVE : CVE-2008-3639, CVE-2008-3640, CVE-2008-3641 BID : 31681, 31688, 31690 . Vulnerability found on port ipp (631/tcp) : Overview: This host is running CUPS (Common UNIX Printing System) Service, which is prone to an Integer Overflow Vulnerabilities. Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the utilities. Failed exploit attempts likely cause denial-of-service conditions. Affected Software/OS: CUPS versions prior to 1.3.10 Solution: Updates are available. Please see http://www.cups.org/software.php for more information. References: http://www.securityfocus.com/bid/34571 http://www.cups.org/str.php?L3031 Risk factor: High CVE : CVE-2009-0163 BID : 34571 From jan-oliver.wagner at intevation.de Thu May 7 18:07:52 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Thu, 7 May 2009 18:07:52 +0200 Subject: [Openvas-discuss] New web page to collect articles and studies about OpenVAS Message-ID: <200905071807.52951.jan-oliver.wagner@intevation.de> Hello, I just created a new web page to collect articles and studies about OpenVAS: http://www.openvas.org/articles-studies.html If you know about any, please drop a note. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From michael.wiegand at intevation.de Fri May 8 08:57:18 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Fri, 8 May 2009 08:57:18 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <4A02E564.4040807@dimartel.es> References: <4A02E564.4040807@dimartel.es> Message-ID: <20090508065717.GA19953@intevation.de> * David Corcuera [ 7. May 2009]: > I am new with OpenVAS and still testing it. So perhaps, i am asking > something silly. > I've installed OpenVAS from debian package in etch and ran my first scan > against an internal host. > Results: 4 security holes. > Two of them are on mysql and other two on CUPS. > My debian etch has mysql 5.0.32-7etch10 and cupsys 1.2.7-4etch7 (last > official etch packages) > According to OpenVAS report, i should have installed mysql 5.0.66 and > cupsys 1.3.10, but my versions also fix all these vulnerabilities. > What is wrong with this? Any idea? I'm not really sure since I'm not a plugin author, but my first guess is that the hole was fixed in MySQL 5.0.66, but Debian backported the changes to the version they packaged for etch. I assume you are doing a remote scan; the remote scan will probably not know that the hole has already been fixed in Debian despite the low version number. Plugin authors: Am I right? Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090508/c4d17f0d/attachment.pgp From felix.wolfsteller at intevation.de Fri May 8 08:58:17 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Fri, 8 May 2009 08:58:17 +0200 Subject: [Openvas-discuss] openvas FAQ Message-ID: <200905080858.17205.felix.wolfsteller@intevation.de> I see four questions coming up again and again at the moment (on irc and the lists). Maybe its time to write a FAQ or a known-issues page where we can direct people to who ask these questions. I think the involved maintenance effort is worth it. Any opinions or objections? (please give a +1 if you think its a good idea) -- felix Keywords to questions/answers are: 1) ~invalid response: 2.0 server/ 1.0 client 2) client/ windows 3) 1.0.5 plugin release breaks cache 4) missing dependencies (e.g. smb_func.inc) are due to license and nothing evil happens. -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Fri May 8 09:01:46 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 8 May 2009 12:31:46 +0530 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090508065717.GA19953@intevation.de> References: <4A02E564.4040807@dimartel.es> <20090508065717.GA19953@intevation.de> Message-ID: <31F35CFFF98041A1A2C18E62F4A6945F@bchandra> Hello -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Michael Wiegand Sent: Friday, May 08, 2009 12:27 PM To: David Corcuera Cc: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] Possible false positives with CUPS and MySQL? * David Corcuera [ 7. May 2009]: >> I am new with OpenVAS and still testing it. So perhaps, i am asking >> something silly. >> I've installed OpenVAS from debian package in etch and ran my first scan >> against an internal host. >> Results: 4 security holes. >> Two of them are on mysql and other two on CUPS. >> My debian etch has mysql 5.0.32-7etch10 and cupsys 1.2.7-4etch7 (last >> official etch packages) >> According to OpenVAS report, i should have installed mysql 5.0.66 and >> cupsys 1.3.10, but my versions also fix all these vulnerabilities. >> What is wrong with this? Any idea? > I'm not really sure since I'm not a plugin author, but my first guess is > that the hole was fixed in MySQL 5.0.66, but Debian backported the > changes to the version they packaged for etch. > I assume you are doing a remote scan; the remote scan will probably not > know that the hole has already been fixed in Debian despite the low > version number. > Plugin authors: Am I right? Michael, you are right. The plugin would be detecting based on the package available in the open source but, individual OS vendors would have backported. So, local checks are a better approach in this case. David: Please provide the Plugins that reported security holes, we'll verify them. Thanks, Chandra. From bchandra at secpod.com Fri May 8 09:54:46 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 8 May 2009 13:24:46 +0530 Subject: [Openvas-discuss] openvas FAQ In-Reply-To: <200905080858.17205.felix.wolfsteller@intevation.de> References: <200905080858.17205.felix.wolfsteller@intevation.de> Message-ID: <61C29098A7EB490682DB014CFFD2DF10@bchandra> FAQ is always good. +1 from my side. Chandra. -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Felix Wolfsteller Sent: Friday, May 08, 2009 12:28 PM To: openvas-discuss at wald.intevation.org Subject: [Openvas-discuss] openvas FAQ I see four questions coming up again and again at the moment (on irc and the lists). Maybe its time to write a FAQ or a known-issues page where we can direct people to who ask these questions. I think the involved maintenance effort is worth it. Any opinions or objections? (please give a +1 if you think its a good idea) -- felix Keywords to questions/answers are: 1) ~invalid response: 2.0 server/ 1.0 client 2) client/ windows 3) 1.0.5 plugin release breaks cache 4) missing dependencies (e.g. smb_func.inc) are due to license and nothing evil happens. -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From mime at gmx.de Fri May 8 10:29:12 2009 From: mime at gmx.de (Michael Meyer) Date: Fri, 8 May 2009 10:29:12 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <31F35CFFF98041A1A2C18E62F4A6945F@bchandra> References: <4A02E564.4040807@dimartel.es> <20090508065717.GA19953@intevation.de> <31F35CFFF98041A1A2C18E62F4A6945F@bchandra> Message-ID: <20090508082912.GA2421@m2.homelinux.org> Hello, *** Chandrashekhar B wrote: > * David Corcuera [ 7. May 2009]: > >> I've installed OpenVAS from debian package in etch and ran my first scan > >> against an internal host. > >> Results: 4 security holes. > >> Two of them are on mysql and other two on CUPS. > >> My debian etch has mysql 5.0.32-7etch10 and cupsys 1.2.7-4etch7 (last > >> official etch packages) > >> According to OpenVAS report, i should have installed mysql 5.0.66 and > >> cupsys 1.3.10, but my versions also fix all these vulnerabilities. > >> What is wrong with this? Any idea? > > > I'm not really sure since I'm not a plugin author, but my first guess is > > that the hole was fixed in MySQL 5.0.66, but Debian backported the > > changes to the version they packaged for etch. > > > I assume you are doing a remote scan; the remote scan will probably not > > know that the hole has already been fixed in Debian despite the low > > version number. > > > Plugin authors: Am I right? > > Michael, you are right. The plugin would be detecting based on the package > available in the open source but, individual OS vendors would have > backported. So, local checks are a better approach in this case. Yes, banner checks are prone to false positives. There are a few thinks we can do. 1. Respekt settings of "report_paranoia". We can do: ,--| | if (report_paranoia < 2) exit(0);" `--| on such plugins. But then these plugins will not report about a real existing vulnerability if the user dosn't change the default settings of "report_paranoia". Thats the point why i don't like this solution. 2. Make a note in the report that this could be a false positive because the vulnerability is only detected by checking the version from banner. Any other ideas? If not, i prefer option 2. :-) > David: Please provide the Plugins that reported security holes, we'll verify > them. secpod_mysql_dos_vuln_900221.nasl mysql_29106.nasl gb_cups_mult_vuln_oct08.nasl cups_cve_2009_0163.nasl I couln't find any problems in that plugins. Micha From mime at gmx.de Fri May 8 10:30:15 2009 From: mime at gmx.de (Michael Meyer) Date: Fri, 8 May 2009 10:30:15 +0200 Subject: [Openvas-discuss] openvas FAQ In-Reply-To: <200905080858.17205.felix.wolfsteller@intevation.de> References: <200905080858.17205.felix.wolfsteller@intevation.de> Message-ID: <20090508083015.GB2421@m2.homelinux.org> *** Felix Wolfsteller wrote: > Any opinions or objections? (please give a +1 if you think its a good idea) +1 Micha From dcorcuera at dimartel.es Fri May 8 10:31:56 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Fri, 08 May 2009 10:31:56 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <31F35CFFF98041A1A2C18E62F4A6945F@bchandra> References: <4A02E564.4040807@dimartel.es> <20090508065717.GA19953@intevation.de> <31F35CFFF98041A1A2C18E62F4A6945F@bchandra> Message-ID: <4A03EDFC.2020300@dimartel.es> Hello, Chandrashekhar B escribi?: > Hello > > -----Original Message----- > From: openvas-discuss-bounces at wald.intevation.org > [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Michael > Wiegand > Sent: Friday, May 08, 2009 12:27 PM > To: David Corcuera > Cc: openvas-discuss at wald.intevation.org > Subject: Re: [Openvas-discuss] Possible false positives with CUPS and MySQL? > > * David Corcuera [ 7. May 2009]: > >>> I am new with OpenVAS and still testing it. So perhaps, i am asking >>> something silly. >>> I've installed OpenVAS from debian package in etch and ran my first scan >>> against an internal host. >>> Results: 4 security holes. >>> Two of them are on mysql and other two on CUPS. >>> My debian etch has mysql 5.0.32-7etch10 and cupsys 1.2.7-4etch7 (last >>> official etch packages) >>> According to OpenVAS report, i should have installed mysql 5.0.66 and >>> cupsys 1.3.10, but my versions also fix all these vulnerabilities. >>> What is wrong with this? Any idea? >>> > > >> I'm not really sure since I'm not a plugin author, but my first guess is >> that the hole was fixed in MySQL 5.0.66, but Debian backported the >> changes to the version they packaged for etch. >> > > >> I assume you are doing a remote scan; the remote scan will probably not >> know that the hole has already been fixed in Debian despite the low >> version number. >> > > >> Plugin authors: Am I right? >> > > Michael, you are right. The plugin would be detecting based on the package > available in the open source but, individual OS vendors would have > backported. So, local checks are a better approach in this case. > > David: Please provide the Plugins that reported security holes, we'll verify > them. > > Thanks, > Chandra. > > > Yes, it was a remote scan. I will try local check. It?s my next step. Here are the NVTs: "MySQL MyISAM Table Privileges Secuity Bypass Vulnerability" (1.3.6.1.4.1.25623.1.0.100156) "MySQL Empty Bit-String Literal Denial of Service Vulnerability" (1.3.6.1.4.1.25623.1.0.900221) "CUPS '_cupsImageReadTIFF()' Integer Overflow Vulnerability" (1.3.6.1.4.1.25623.1.0.100150) "CUPS Multiple Vulnerabilities - Oct08" (1.3.6.1.4.1.25623.1.0.800111) Thanks for the help. dav From michael.wiegand at intevation.de Fri May 8 10:42:38 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Fri, 8 May 2009 10:42:38 +0200 Subject: [Openvas-discuss] openvas FAQ In-Reply-To: <200905080858.17205.felix.wolfsteller@intevation.de> References: <200905080858.17205.felix.wolfsteller@intevation.de> Message-ID: <20090508084238.GA18616@intevation.de> * Felix Wolfsteller [ 8. May 2009]: > Any opinions or objections? (please give a +1 if you think its a good idea) +1. > 4) missing dependencies (e.g. smb_func.inc) are due to license and nothing > evil happens. smb_func.inc et al are missing includes, not dependencies. But yes, explaining the difference between includes (won't run if not satisfied) and dependencies (will run if not satisfied) will probably be useful as well. :) Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090508/553fb190/attachment.pgp From felix.wolfsteller at intevation.de Fri May 8 10:47:35 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Fri, 8 May 2009 10:47:35 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090508082912.GA2421@m2.homelinux.org> References: <4A02E564.4040807@dimartel.es> <31F35CFFF98041A1A2C18E62F4A6945F@bchandra> <20090508082912.GA2421@m2.homelinux.org> Message-ID: <200905081047.35934.felix.wolfsteller@intevation.de> On Friday 08 May 2009 10:29:12 Michael Meyer wrote: > Yes, banner checks are prone to false positives. There are a few > thinks we can do. > > 1. > Respekt settings of "report_paranoia". > We can do: > > ,--| > > | if (report_paranoia < 2) exit(0);" > > `--| I think using the "report_paranoia" is not a good idea. This setting is too unspecific and undocumented. With the "severity overrides" feature the user can mark certain nvts as false positives. Like mime, I would rather add a note to the message. --felix -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From geoff at galitz.org Fri May 8 11:34:12 2009 From: geoff at galitz.org (Geoff Galitz) Date: Fri, 8 May 2009 11:34:12 +0200 Subject: [Openvas-discuss] openvas FAQ In-Reply-To: <200905080858.17205.felix.wolfsteller@intevation.de> References: <200905080858.17205.felix.wolfsteller@intevation.de> Message-ID: <28552B0092A54120A479A0F7C8C5DA16@geoffPC> +1 I'll integrate it with the Compendium, too. -geoff --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/ From bchandra at secpod.com Fri May 8 12:24:13 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 8 May 2009 15:54:13 +0530 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090508082912.GA2421@m2.homelinux.org> References: <4A02E564.4040807@dimartel.es><20090508065717.GA19953@intevation.de><31F35CFFF98041A1A2C18E62F4A6945F@bchandra> <20090508082912.GA2421@m2.homelinux.org> Message-ID: <646F91A4FD494F66B540C6594263428C@bchandra> > 1. > Respekt settings of "report_paranoia". > We can do: > ,--| > | if (report_paranoia < 2) exit(0);" > `--| > on such plugins. > 2. > Make a note in the report that this could be a false positive because > the vulnerability is only detected by checking the version from > banner. > Any other ideas? If not, i prefer option 2. :-) This is a better option, though it doesn't solve the actual problem. We had discussed this sometimes back about remote checks for the open source based packages since each Linux vendor will have their own version management. It was decided that we'll wait for each vendor to release the respective security advisory and develop only local checks based on that. However, for some important package vulnerabilities, we could go ahead and produce the check based on the open source package version and then add a note as suggested here. Thanks, Chandra. From mime at gmx.de Fri May 8 13:29:51 2009 From: mime at gmx.de (Michael Meyer) Date: Fri, 8 May 2009 13:29:51 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <646F91A4FD494F66B540C6594263428C@bchandra> References: <20090508082912.GA2421@m2.homelinux.org> <646F91A4FD494F66B540C6594263428C@bchandra> Message-ID: <20090508112951.GA3268@m2.homelinux.org> *** Chandrashekhar B wrote: > We had discussed this sometimes back about remote checks for the > open source based packages since each Linux vendor will have their > own version management. It was decided that we'll wait for each > vendor to release the respective security advisory and develop only > local checks based on that. I do not agree with that. Only develop local checks for such security problems is IMHO not the best way. We don't know how many users have ever configured local checks. A lot of users will perhaps only do remote checks. We shouln't ignore such users. I think it is better to have a few "false positives" (of course we have to tell the user that this could be a false positive because we only check the banner) than not detecting some security problems. > However, for some important package vulnerabilities, we could go ahead and > produce the check based on the open source package version and then add a > note as suggested here. Which are the "important" packages? Who define which packages are "important" and which are not? ;-) We should come to an agreement about the note we would add to the report. All plugin-developer should then use this text in their plugins. Micha From dcorcuera at dimartel.es Fri May 8 13:39:45 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Fri, 08 May 2009 13:39:45 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090508112951.GA3268@m2.homelinux.org> References: <20090508082912.GA2421@m2.homelinux.org> <646F91A4FD494F66B540C6594263428C@bchandra> <20090508112951.GA3268@m2.homelinux.org> Message-ID: <4A041A01.9080705@dimartel.es> Michael Meyer escribi?: > *** Chandrashekhar B wrote: > >> We had discussed this sometimes back about remote checks for the >> open source based packages since each Linux vendor will have their >> own version management. It was decided that we'll wait for each >> vendor to release the respective security advisory and develop only >> local checks based on that. >> > > I do not agree with that. > > Only develop local checks for such security problems is IMHO not > the best way. We don't know how many users have ever configured local > checks. A lot of users will perhaps only do remote checks. We shouln't > ignore such users. > > I think it is better to have a few "false positives" (of course we > have to tell the user that this could be a false positive because we > only check the banner) than not detecting some security problems. > > Interesant subject. I also think it's better to have false positives with a comment about it than nothing. By the way. In this case, i have ran a local check and it also reported as hole security in all four cases. Regards dav -- David Corcuera Atienza DIMARTEL c/ Blanco Lac 14 Bajo 26005. Logro?o. La Rioja Tfno. 941217000 Fax. 941216303 dcorcuera at dimartel.es From bchandra at secpod.com Fri May 8 13:40:45 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 8 May 2009 17:10:45 +0530 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090508112951.GA3268@m2.homelinux.org> References: <20090508082912.GA2421@m2.homelinux.org><646F91A4FD494F66B540C6594263428C@bchandra> <20090508112951.GA3268@m2.homelinux.org> Message-ID: Here is the link to the previous discussion... http://lists.wald.intevation.org/pipermail/openvas-plugins/2008-October/0001 85.html If you add a security_note() it appears in a separate report. Instead we could add a statement with the description, "This may be a False Positive...". Chandra. -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Michael Meyer Sent: Friday, May 08, 2009 5:00 PM To: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] Possible false positives with CUPS and MySQL? *** Chandrashekhar B wrote: > We had discussed this sometimes back about remote checks for the > open source based packages since each Linux vendor will have their > own version management. It was decided that we'll wait for each > vendor to release the respective security advisory and develop only > local checks based on that. I do not agree with that. Only develop local checks for such security problems is IMHO not the best way. We don't know how many users have ever configured local checks. A lot of users will perhaps only do remote checks. We shouln't ignore such users. I think it is better to have a few "false positives" (of course we have to tell the user that this could be a false positive because we only check the banner) than not detecting some security problems. > However, for some important package vulnerabilities, we could go ahead and > produce the check based on the open source package version and then add a > note as suggested here. Which are the "important" packages? Who define which packages are "important" and which are not? ;-) We should come to an agreement about the note we would add to the report. All plugin-developer should then use this text in their plugins. Micha _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From bchandra at secpod.com Fri May 8 13:43:52 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 8 May 2009 17:13:52 +0530 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <4A041A01.9080705@dimartel.es> References: <20090508082912.GA2421@m2.homelinux.org> <646F91A4FD494F66B540C6594263428C@bchandra><20090508112951.GA3268@m2.homelinux.org> <4A041A01.9080705@dimartel.es> Message-ID: <047B2A4EBC664D53B32FF2DA2D1B7735@bchandra> David, -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of David Corcuera Sent: Friday, May 08, 2009 5:10 PM To: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] Possible false positives with CUPS and MySQL? > By the way. In this case, i have ran a local check and it also reported > as hole security in all four cases. The four Plugins will continue to report the vulnerability as they are only doing remote check. The corresponding local checks which address the same CVE shouldn't or will not report. Thanks, Chandra. From mime at gmx.de Fri May 8 13:59:57 2009 From: mime at gmx.de (Michael Meyer) Date: Fri, 8 May 2009 13:59:57 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <047B2A4EBC664D53B32FF2DA2D1B7735@bchandra> References: <20090508082912.GA2421@m2.homelinux.org> <4A041A01.9080705@dimartel.es> <047B2A4EBC664D53B32FF2DA2D1B7735@bchandra> Message-ID: <20090508115957.GA3717@m2.homelinux.org> *** Chandrashekhar B wrote: > > By the way. In this case, i have ran a local check and it also reported > > as hole security in all four cases. > > The four Plugins will continue to report the vulnerability as they are only > doing remote check. The corresponding local checks which address the same > CVE shouldn't or will not report. Another idea. Execute the remote checks (this ones which will do check the version get from banner) only, if no local checks are configured? Micha From michael.wiegand at intevation.de Fri May 8 13:59:53 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Fri, 8 May 2009 13:59:53 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: References: <20090508112951.GA3268@m2.homelinux.org> Message-ID: <20090508115953.GD18616@intevation.de> * Chandrashekhar B [ 8. May 2009]: > Instead we could add a statement with the description, "This may be a > False Positive...". Yes, I think this would be a good idea. We could define a standard disclaimer text which plugins could use whenever they try remote version identification. The user has the possibility to mark those messages as false positives in the client already. It should be up to him to make sure this really is a false positive. Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090508/2289d4dc/attachment.pgp From dcorcuera at dimartel.es Fri May 8 14:34:55 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Fri, 08 May 2009 14:34:55 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090508115957.GA3717@m2.homelinux.org> References: <20090508082912.GA2421@m2.homelinux.org> <4A041A01.9080705@dimartel.es> <047B2A4EBC664D53B32FF2DA2D1B7735@bchandra> <20090508115957.GA3717@m2.homelinux.org> Message-ID: <4A0426EF.2040902@dimartel.es> Michael Meyer escribi?: > *** Chandrashekhar B wrote: > >>> By the way. In this case, i have ran a local check and it also reported >>> as hole security in all four cases. >>> >> The four Plugins will continue to report the vulnerability as they are only >> doing remote check. The corresponding local checks which address the same >> CVE shouldn't or will not report. >> > > Another idea. Execute the remote checks (this ones which will do check > the version get from banner) only, if no local checks are configured? > > Micha > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > > Doing this, isn`t the same as my first scan (All plugins active but ssh credentials not installed)? dav From mime at gmx.de Fri May 8 14:54:33 2009 From: mime at gmx.de (Michael Meyer) Date: Fri, 8 May 2009 14:54:33 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <4A0426EF.2040902@dimartel.es> References: <20090508082912.GA2421@m2.homelinux.org> <4A041A01.9080705@dimartel.es> <047B2A4EBC664D53B32FF2DA2D1B7735@bchandra> <20090508115957.GA3717@m2.homelinux.org> <4A0426EF.2040902@dimartel.es> Message-ID: <20090508125433.GB3717@m2.homelinux.org> *** David Corcuera wrote: > Michael Meyer escribi?: > > *** Chandrashekhar B wrote: > >>> By the way. In this case, i have ran a local check and it also reported > >>> as hole security in all four cases. > >>> > >> The four Plugins will continue to report the vulnerability as they are only > >> doing remote check. The corresponding local checks which address the same > >> CVE shouldn't or will not report. > >> > > > > Another idea. Execute the remote checks (this ones which will do check > > the version get from banner) only, if no local checks are configured? > > > Doing this, isn`t the same as my first scan (All plugins active but ssh > credentials not installed)? What i mean was, if we have credentials and have successfully logged in into the remote host, we could perhaps deactivate these checks that only check the version we get from banner. Something like: if(local_login_succes()) exit(0); Micha From mmundell at intevation.de Fri May 8 20:21:10 2009 From: mmundell at intevation.de (Matthew Mundell) Date: 08 May 2009 18:20:10 -0001 Subject: [Openvas-discuss] openvas FAQ In-Reply-To: Message of Fri, 8 May 2009 13:24:46 +0530. <61C29098A7EB490682DB014CFFD2DF10@bchandra> Message-ID: <20090508182012.923F1DEE12@mail.ukfsn.org> +1. -- Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From dcorcuera at dimartel.es Mon May 11 08:41:30 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Mon, 11 May 2009 08:41:30 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090508125433.GB3717@m2.homelinux.org> References: <20090508082912.GA2421@m2.homelinux.org> <4A041A01.9080705@dimartel.es> <047B2A4EBC664D53B32FF2DA2D1B7735@bchandra> <20090508115957.GA3717@m2.homelinux.org> <4A0426EF.2040902@dimartel.es> <20090508125433.GB3717@m2.homelinux.org> Message-ID: <4A07C89A.2090603@dimartel.es> Michael Meyer escribi?: > *** David Corcuera wrote: > >> Michael Meyer escribi?: >> >>> *** Chandrashekhar B wrote: >>> >>>>> By the way. In this case, i have ran a local check and it also reported >>>>> as hole security in all four cases. >>>>> >>>>> >>>> The four Plugins will continue to report the vulnerability as they are only >>>> doing remote check. The corresponding local checks which address the same >>>> CVE shouldn't or will not report. >>>> >>>> >>> Another idea. Execute the remote checks (this ones which will do check >>> the version get from banner) only, if no local checks are configured? >>> >>> >> Doing this, isn`t the same as my first scan (All plugins active but ssh >> credentials not installed)? >> > > What i mean was, if we have credentials and have successfully logged in into > the remote host, we could perhaps deactivate these checks that only > check the version we get from banner. > > Something like: > > if(local_login_succes()) exit(0); > > Micha > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > > seems good idea dav From felix.wolfsteller at intevation.de Mon May 11 09:09:39 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Mon, 11 May 2009 09:09:39 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <4A07C89A.2090603@dimartel.es> References: <20090508082912.GA2421@m2.homelinux.org> <20090508125433.GB3717@m2.homelinux.org> <4A07C89A.2090603@dimartel.es> Message-ID: <200905110909.39413.felix.wolfsteller@intevation.de> On Monday 11 May 2009 08:41:30 David Corcuera wrote: > > What i mean was, if we have credentials and have successfully logged in > > into the remote host, we could perhaps deactivate these checks that only > > check the version we get from banner. > > > > Something like: > > > > if(local_login_succes()) exit(0); > > > > Micha > > seems good idea > > dav Imho that is not a good idea. I generally dislike exit(0)s and find that NVTs should be as self-contained as possible. A 'local_login_succes' method would require either a include or a knowledge base entry. There is the concept and mechanism of 'exclude_keys' floating around in code, I do not know if it is used actively by nvt developers, but I found that it looks like a clear concept and could be adopted once it works transparent. I mean that if nvts did not run because of exclusive keys I want the client to receive a log message that a nvt was not launched because of a knowledge base entry. Following that, the logic would be the same as the example you gave, but it would not require any new include and would not exit(0), instead the plugin scheduler would notice that this plugin should not be launched because of a certain key (that was set by the local check variant). So long, I find adding the note ~"this issue was found remotely, some distros might have patched, consider local checks" would still be more informative. And with the severity-override feature it can be silenced with a couple of clicks and keypresses anyway. -- felix -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From mime at gmx.de Mon May 11 15:49:07 2009 From: mime at gmx.de (Michael Meyer) Date: Mon, 11 May 2009 15:49:07 +0200 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090508115953.GD18616@intevation.de> References: <20090508112951.GA3268@m2.homelinux.org> <20090508115953.GD18616@intevation.de> Message-ID: <20090511134907.GA4104@m2.homelinux.org> *** Michael Wiegand wrote: > * Chandrashekhar B [ 8. May 2009]: > > Instead we could add a statement with the description, "This may be a > > False Positive...". > > Yes, I think this would be a good idea. We could define a standard > disclaimer text which plugins could use whenever they try remote version > identification. Ok, somebody must define this "disclaimer". Any volunteers? :-) I saw that the newest plugins from secpod contains the following: ***** NOTE: Please, ignore the warning if Patch is already applied. ***** Is that enough? Micha From michael.wiegand at intevation.de Mon May 11 15:53:58 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 11 May 2009 15:53:58 +0200 Subject: [Openvas-discuss] Handling reported versions In-Reply-To: <20090511134907.GA4104@m2.homelinux.org> References: <20090508112951.GA3268@m2.homelinux.org> <20090508115953.GD18616@intevation.de> <20090511134907.GA4104@m2.homelinux.org> Message-ID: <20090511135357.GR4060@intevation.de> * Michael Meyer [11. May 2009]: > > Yes, I think this would be a good idea. We could define a standard > > disclaimer text which plugins could use whenever they try remote version > > identification. > > Ok, somebody must define this "disclaimer". Any volunteers? :-) > I saw that the newest plugins from secpod contains the following: > > ***** > NOTE: Please, ignore the warning if Patch is already applied. > ***** > > Is that enough? I would propose: ***** This warning was generated because $SOFTWARE on $REMOTE_HOST identified itself as $VERSION and the authors of $SOFTWARE have declared versions $FROM through $UNTIL to be affected by this issue. Please note that this issue might have already been fixed by your distribution maintainers without increasing the version number reported by the software. If you are in doubt, please refer to the security announcements from the maintainers of your distribution. If you have identified this warning as a false positive, you can create a filter by doing $(CREATE_FILTER_HOWTO). ***** What do you think? Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090511/df594462/attachment.pgp From bchandra at secpod.com Mon May 11 16:00:40 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Mon, 11 May 2009 19:30:40 +0530 Subject: [Openvas-discuss] Handling reported versions In-Reply-To: <20090511135357.GR4060@intevation.de> References: <20090508112951.GA3268@m2.homelinux.org><20090508115953.GD18616@intevation.de><20090511134907.GA4104@m2.homelinux.org> <20090511135357.GR4060@intevation.de> Message-ID: Hello, -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Michael Wiegand Sent: Monday, May 11, 2009 7:24 PM To: openvas-discuss at wald.intevation.org Subject: [Openvas-discuss] Handling reported versions * Michael Meyer [11. May 2009]: > > > Yes, I think this would be a good idea. We could define a standard >> > disclaimer text which plugins could use whenever they try remote version >> > identification. >> >> Ok, somebody must define this "disclaimer". Any volunteers? :-) >> I saw that the newest plugins from secpod contains the following: >> >> ***** >> NOTE: Please, ignore the warning if Patch is already applied. >> ***** >> >> Is that enough? > I would propose: > ***** > This warning was generated because $SOFTWARE on $REMOTE_HOST identified > itself as $VERSION and the authors of $SOFTWARE have declared versions > $FROM through $UNTIL to be affected by this issue. > Please note that this issue might have already been fixed by your > distribution maintainers without increasing the version number reported > By the software. If you are in doubt, please refer to the security > announcements from the maintainers of your distribution. > If you have identified this warning as a false positive, you can create > a filter by doing $(CREATE_FILTER_HOWTO). > ***** > What do you think? The first paragraph may not be needed. The proposal is to put this initially with the description (inside if(description)). So, the variables $SOFTWARE $REMOTE_HOST cannot be updated with the determined value as the desc variable will not be in scope. I think the second paragraph is good enough. Thanks, Chandra. From christian.edjenguele at owasp.org Mon May 11 16:11:39 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Mon, 11 May 2009 16:11:39 +0200 Subject: [Openvas-discuss] Handling reported versions In-Reply-To: References: <20090508112951.GA3268@m2.homelinux.org><20090508115953.GD18616@intevation.de><20090511134907.GA4104@m2.homelinux.org> <20090511135357.GR4060@intevation.de> Message-ID: <4A08321B.5080403@owasp.org> Just like Qualys Guard, we can just mark those vulnerabilities as "probable" or "possible" by reporting them with an additional custom function: security_....(). Yes!, reporting a vulnerability only from version usually in web application is majors source of false positive because the version banner is mutable. But with desktop application such Microsoft Sql Server the vulnerability is much more accurate because a service pack or a security patch modify the version banner. Chandrashekhar B wrote: > Hello, > > -----Original Message----- > From: openvas-discuss-bounces at wald.intevation.org > [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Michael > Wiegand > Sent: Monday, May 11, 2009 7:24 PM > To: openvas-discuss at wald.intevation.org > Subject: [Openvas-discuss] Handling reported versions > > * Michael Meyer [11. May 2009]: >>>> Yes, I think this would be a good idea. We could define a standard >>>> disclaimer text which plugins could use whenever they try remote > version >>>> identification. >>> Ok, somebody must define this "disclaimer". Any volunteers? :-) >>> I saw that the newest plugins from secpod contains the following: >>> >>> ***** >>> NOTE: Please, ignore the warning if Patch is already applied. >>> ***** >>> >>> Is that enough? > >> I would propose: >> ***** >> This warning was generated because $SOFTWARE on $REMOTE_HOST identified >> itself as $VERSION and the authors of $SOFTWARE have declared versions >> $FROM through $UNTIL to be affected by this issue. >> Please note that this issue might have already been fixed by your >> distribution maintainers without increasing the version number reported >> By the software. If you are in doubt, please refer to the security >> announcements from the maintainers of your distribution. >> If you have identified this warning as a false positive, you can create >> a filter by doing $(CREATE_FILTER_HOWTO). >> ***** > >> What do you think? > > The first paragraph may not be needed. The proposal is to put this initially > with the description (inside if(description)). So, the variables $SOFTWARE > $REMOTE_HOST cannot be updated with the determined value as the desc > variable will not be in scope. > > I think the second paragraph is good enough. > > Thanks, > Chandra. > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF -----END PGP PUBLIC KEY BLOCK----- From lists at securityspace.com Mon May 11 16:12:06 2009 From: lists at securityspace.com (Thomas Reinke) Date: Mon, 11 May 2009 10:12:06 -0400 Subject: [Openvas-discuss] Possible false positives with CUPS and MySQL? In-Reply-To: <20090511134907.GA4104@m2.homelinux.org> References: <20090508112951.GA3268@m2.homelinux.org> <20090508115953.GD18616@intevation.de> <20090511134907.GA4104@m2.homelinux.org> Message-ID: <4A083236.2000309@securityspace.com> Michael Meyer wrote: > *** Michael Wiegand wrote: >> * Chandrashekhar B [ 8. May 2009]: >>> Instead we could add a statement with the description, "This may be a >>> False Positive...". >> Yes, I think this would be a good idea. We could define a standard >> disclaimer text which plugins could use whenever they try remote version >> identification. > > Ok, somebody must define this "disclaimer". Any volunteers? :-) > I saw that the newest plugins from secpod contains the following: > > ***** > NOTE: Please, ignore the warning if Patch is already applied. > ***** > > Is that enough? > > Micha Something a bit more explanatory might be appropriate. Perhaps NOTE: This test relied on version number information retrieved from a banner, and as such may be a false positive. Please ensure you have the latest updates applied. or NOTE: This test relied on version number information retrieved from a banner. If the OS vendor's banner number identification scheme isn't in line with the software's version number scheme, this test might be a false positive. Please ensure you have the latest updates applied. Thomas From jan-oliver.wagner at intevation.de Mon May 11 16:12:23 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 11 May 2009 16:12:23 +0200 Subject: [Openvas-discuss] Dropping hydra support Message-ID: <200905111612.27260.jan-oliver.wagner@intevation.de> Hello, we have a couple of NVTs that wrap the tool "hydra" (http://freeworld.thc.org/thc-hydra/). Besides from being slightly out of date, I realized that this tool isn't Free Software. In fact is says its GNU GPL and has some additional clauses. Those clauses prevent the "use for any purpose", basically its some limits on commercial aspects. I checked back with the authors and was confirmed that this is not but chance but rather by intention. (This explains also why hydra has been removed from Debian a while ago). I would have preferred even a tighter integration with hydra, because it is light-weight and fast. However, as things are, IMHO we have no other choice than to remove the hydra NVTs as people might unintendingly violate the license of hydra. Any concerns or other comments? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Mon May 11 16:24:56 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 11 May 2009 16:24:56 +0200 Subject: [Openvas-discuss] OpenVAS DevCon: Invited Talk? In-Reply-To: <200904281628.11822.jan-oliver.wagner@intevation.de> References: <200904220919.40536.jan-oliver.wagner@intevation.de> <200904281628.11822.jan-oliver.wagner@intevation.de> Message-ID: <200905111624.58316.jan-oliver.wagner@intevation.de> On Dienstag, 28. April 2009, Jan-Oliver Wagner wrote: > On Mittwoch, 22. April 2009, Jonas Andradas wrote: > > On Wed, Apr 22, 2009 at 9:19 AM, Jan-Oliver Wagner < > > jan-oliver.wagner at intevation.de> wrote: > > > how about inviting a talk for our OpenVAS Conference from a related > > > project? > > > Namely, I have nmap in mind. Since we plan to establish a far > > > better integration with nmap, this might make sense. > > > > I totally agree with this idea. Let's hope that they can come :) > > thanks for supporting the idea. > If no one objects, I will approach nmap project with this request ... as you have seen, I did this and CCed this list. However, nmap people did not react. Perhaps they are just drowned by their work. Another very good candidate is Metasploit. They do a great job and have a good deal of knowledge about the things we need as well for developing NVTs. I could imagine we can learn a lot from them. Though I don't want to turn OpenVAS into an rootshell provider ;-) Luckily, H D Moore even is the author of a couple of NASL scripts we have in our Feed :-) However, I have no idea what the Measploit people think about OpenVAS. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From hans.ullrich at loop.de Mon May 11 16:32:53 2009 From: hans.ullrich at loop.de (Hans-J. Ullrich) Date: Mon, 11 May 2009 16:32:53 +0200 Subject: [Openvas-discuss] Dropping hydra support In-Reply-To: <200905111612.27260.jan-oliver.wagner@intevation.de> References: <200905111612.27260.jan-oliver.wagner@intevation.de> Message-ID: <200905111632.54312.hans.ullrich@loop.de> Am Montag 11 Mai 2009 schrieb Jan-Oliver Wagner: > Hello, > > we have a couple of NVTs that wrap the tool "hydra" > (http://freeworld.thc.org/thc-hydra/). > > Besides from being slightly out of date, I realized that this tool isn't > Free Software. In fact is says its GNU GPL and has some additional clauses. > Those clauses prevent the "use for any purpose", basically its some limits > on commercial aspects. I checked back with the authors and was confirmed > that this is not but chance but rather by intention. > > (This explains also why hydra has been removed from Debian a while ago). > > I would have preferred even a tighter integration with hydra, because it is > light-weight and fast. > However, as things are, IMHO we have no other choice than to remove the > hydra NVTs as people might unintendingly violate the license of hydra. > > Any concerns or other comments? > > Best > > Jan Hi Jan, this is indeed a pity! I suggest, to add thc-hydra as a module, so the user is able and can decide, to use or drop it to his purposes. If you do not include hydra into openvas directly, but as an optional addon, the user may install it (either self-compiled or as a package) or not. Doing so, there is no problem using hydra in openvas. Looking at the required NVT's, I suggest to add a NVT-repository "non-free" for those NVT's, as I think, the same problem will face us again, not only with hydra. Best regards Hans -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090511/45b6ccf0/attachment.htm From mime at gmx.de Mon May 11 16:44:11 2009 From: mime at gmx.de (Michael Meyer) Date: Mon, 11 May 2009 16:44:11 +0200 Subject: [Openvas-discuss] Handling reported versions In-Reply-To: References: <20090511135357.GR4060@intevation.de> Message-ID: <20090511144411.GB4383@m2.homelinux.org> *** Chandrashekhar B wrote: > > I would propose: > > ***** > > This warning was generated because $SOFTWARE on $REMOTE_HOST identified > > itself as $VERSION and the authors of $SOFTWARE have declared versions > > $FROM through $UNTIL to be affected by this issue. > > Please note that this issue might have already been fixed by your > > distribution maintainers without increasing the version number reported > > By the software. If you are in doubt, please refer to the security > > announcements from the maintainers of your distribution. > > If you have identified this warning as a false positive, you can create > > a filter by doing $(CREATE_FILTER_HOWTO). > > ***** > > > What do you think? > > The first paragraph may not be needed. The proposal is to put this initially > with the description (inside if(description)). So, the variables $SOFTWARE > $REMOTE_HOST cannot be updated with the determined value as the desc > variable will not be in scope. > > I think the second paragraph is good enough. Think so too. Now i only need to know what to write for "$(CREATE_FILTER_HOWTO)" ;-) Micha From dcorcuera at dimartel.es Mon May 11 19:30:57 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Mon, 11 May 2009 19:30:57 +0200 Subject: [Openvas-discuss] ssh ports different from 22 Message-ID: <4A0860D1.407@dimartel.es> Hi list, I've a doubt that documentation couldn't solve. Is it possible to make LSC using SSH ports different from normal 22? Thanks in advance for the help. dav From cshaffer at gmail.com Mon May 11 23:41:19 2009 From: cshaffer at gmail.com (Curt Shaffer) Date: Mon, 11 May 2009 17:41:19 -0400 Subject: [Openvas-discuss] Safe Checks Message-ID: <004d01c9d281$39c51040$ad4f30c0$@com> I just noticed that it appears when I choose the safe checks option in the 2.x client then scroll through the checks, dangerous checks still find their way into the selection. Has anyone else seen this? I need to ensure safe checks are just that only. I am searching through the list for this but I haven't found a really nice search facility for the archives J Thanks! Curt -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090511/046ce327/attachment.htm From bchandra at secpod.com Tue May 12 05:30:07 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Tue, 12 May 2009 09:00:07 +0530 Subject: [Openvas-discuss] Safe Checks In-Reply-To: <004d01c9d281$39c51040$ad4f30c0$@com> References: <004d01c9d281$39c51040$ad4f30c0$@com> Message-ID: <4735E23C90DA493AA14144D96393BA06@bchandra> Curt, Those checks will still appear but, they won't be launched, even if you select. Thanks, Chandra. ________________________________________ From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Curt Shaffer Sent: Tuesday, May 12, 2009 3:11 AM To: openvas-discuss at wald.intevation.org Subject: [Openvas-discuss] Safe Checks I just noticed that it appears when I choose the safe checks option in the 2.x client then scroll through the checks, dangerous checks still find their way into the selection. Has anyone else seen this? I need to ensure safe checks are just that only. I am searching through the list for this but I haven?t found a really nice search facility for the archives ? Thanks! Curt From felix.wolfsteller at intevation.de Tue May 12 08:59:11 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Tue, 12 May 2009 08:59:11 +0200 Subject: [Openvas-discuss] Handling reported versions In-Reply-To: <20090511144411.GB4383@m2.homelinux.org> References: <20090511135357.GR4060@intevation.de> <20090511144411.GB4383@m2.homelinux.org> Message-ID: <200905120859.11940.felix.wolfsteller@intevation.de> On Monday 11 May 2009 16:44:11 Michael Meyer wrote: > > > If you have identified this warning as a false positive, you can create > > > a filter by doing $(CREATE_FILTER_HOWTO). > > I think the second paragraph is good enough. > > Think so too. Now i only need to know what to write for > "$(CREATE_FILTER_HOWTO)" ;-) > > Micha something like ... a severity override (for client version >= 2.0.3). In the OpenVAS-Client GUI this can be achieved via the context-menu in the reports overview area. You can en/disable the filter in the "Extras" menu. I guess these texts should be in an include? -- felix -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From felix.wolfsteller at intevation.de Tue May 12 09:08:56 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Tue, 12 May 2009 09:08:56 +0200 Subject: [Openvas-discuss] ssh ports different from 22 In-Reply-To: <4A0860D1.407@dimartel.es> References: <4A0860D1.407@dimartel.es> Message-ID: <200905120908.56962.felix.wolfsteller@intevation.de> iiuuc you aks whether the target machines are forced to run ssh on port 22. Short answer: code looks as if this would not be a problem, but haven't tested. SSH should not be forced to run on port 22. Ideally the/a portscanner discovers ssh running on a different port and registers this port in the knowledge base (something that can be used by nvts to communicate). Other ssh- related nvts should then look up this port and use it. I have seen this in code at some places. Usually 22 is used only if no entry in the knowledge base was found (kind of a 'fallback' or 'default'). Please just give it a try and confirm. -- felix On Monday 11 May 2009 19:30:57 David Corcuera wrote: > Hi list, > > I've a doubt that documentation couldn't solve. Is it possible to make > LSC using SSH ports different from normal 22? > > Thanks in advance for the help. > > dav > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Tue May 12 09:47:39 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Tue, 12 May 2009 13:17:39 +0530 Subject: [Openvas-discuss] ssh ports different from 22 In-Reply-To: <200905120908.56962.felix.wolfsteller@intevation.de> References: <4A0860D1.407@dimartel.es> <200905120908.56962.felix.wolfsteller@intevation.de> Message-ID: <7755FB3C16B64138ACA82DE41FDC3176@bchandra> Felix, That's actually the behavior. I actually replied to this but, think sent only to David. Thanks, Chandra. -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Felix Wolfsteller Sent: Tuesday, May 12, 2009 12:39 PM To: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] ssh ports different from 22 iiuuc you aks whether the target machines are forced to run ssh on port 22. Short answer: code looks as if this would not be a problem, but haven't tested. SSH should not be forced to run on port 22. Ideally the/a portscanner discovers ssh running on a different port and registers this port in the knowledge base (something that can be used by nvts to communicate). Other ssh- related nvts should then look up this port and use it. I have seen this in code at some places. Usually 22 is used only if no entry in the knowledge base was found (kind of a 'fallback' or 'default'). Please just give it a try and confirm. -- felix On Monday 11 May 2009 19:30:57 David Corcuera wrote: > Hi list, > > I've a doubt that documentation couldn't solve. Is it possible to make > LSC using SSH ports different from normal 22? > > Thanks in advance for the help. > > dav > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From dcorcuera at dimartel.es Tue May 12 11:19:21 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Tue, 12 May 2009 11:19:21 +0200 Subject: [Openvas-discuss] ssh ports different from 22 In-Reply-To: <200905120908.56962.felix.wolfsteller@intevation.de> References: <4A0860D1.407@dimartel.es> <200905120908.56962.felix.wolfsteller@intevation.de> Message-ID: <4A093F19.8060801@dimartel.es> Felix Wolfsteller escribi?: > iiuuc you aks whether the target machines are forced to run ssh on port 22. > > Short answer: code looks as if this would not be a problem, but haven't > tested. > > SSH should not be forced to run on port 22. Ideally the/a portscanner > discovers ssh running on a different port and registers this port in the > knowledge base (something that can be used by nvts to communicate). > Other ssh- related nvts should then look up this port and use it. > > I have seen this in code at some places. Usually 22 is used only if no entry > in the knowledge base was found (kind of a 'fallback' or 'default'). > > Please just give it a try and confirm. > > -- felix > > On Monday 11 May 2009 19:30:57 David Corcuera wrote: > >> Hi list, >> >> I've a doubt that documentation couldn't solve. Is it possible to make >> LSC using SSH ports different from normal 22? >> >> Thanks in advance for the help. >> >> dav >> >> _______________________________________________ >> Openvas-discuss mailing list >> Openvas-discuss at wald.intevation.org >> http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss >> > > > Tested OK. I was asking this because it seemed as though LSC was not working when target was listening on port 2222. It should have been any credentials trouble. dav From dcorcuera at dimartel.es Tue May 12 17:09:27 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Tue, 12 May 2009 17:09:27 +0200 Subject: [Openvas-discuss] Vulnerabilities detected in !packages not installed! Message-ID: <4A099127.4050700@dimartel.es> Hi list, As 'Subject' says, a scan have found some vulnerabilities in packages not installed as openoffice.org, cups, avahi, xterm, ffmpeg-debian, iceweasel, ... and more. Plugins chosen are Debian Local Security Checks. Can you give me a tip to investigate? Thanks dav From lists at securityspace.com Tue May 12 17:20:48 2009 From: lists at securityspace.com (Thomas Reinke) Date: Tue, 12 May 2009 11:20:48 -0400 Subject: [Openvas-discuss] Vulnerabilities detected in !packages not installed! In-Reply-To: <4A099127.4050700@dimartel.es> References: <4A099127.4050700@dimartel.es> Message-ID: <4A0993D0.2000700@securityspace.com> Hi David, Could you give me some more details. Which tests have tripped positive for starters. And if possible if it doesn't violate your security policies, the resulting file after running the command on the target system: COLUMNS=200 dpkg -l >/tmp/pkg.list Thomas David Corcuera wrote: > Hi list, > > As 'Subject' says, a scan have found some vulnerabilities in packages > not installed as openoffice.org, cups, avahi, xterm, ffmpeg-debian, > iceweasel, ... and moe. > Plugins chosen are Debian Local Security Checks. > Can you give me a tip to investigate? > > Thanks > dav > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > From paolovg at gmail.com Wed May 13 09:38:42 2009 From: paolovg at gmail.com (Paolo Viviani) Date: Wed, 13 May 2009 09:38:42 +0200 Subject: [Openvas-discuss] epmap security hole Message-ID: <9a36f8830905130038i679b13e1h28a469f06329ae51@mail.gmail.com> Hi all, I have recently installed latest version of opnevas and I have scanned a pc windows 2000 with it. Well, openvas found a security hole on port 135/tcp with risk factor high. It suggest to found solution on : . http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx The microsoft bulletin suggest to install the patch 823980, but this patch on my pc windows 2000 is already installed! Why, openvas found this vulnerability on my pc if it is just patched? excuse me for my bad english. Regards Paolo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090513/54461453/attachment.htm From michael.wiegand at intevation.de Wed May 13 09:41:10 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Wed, 13 May 2009 09:41:10 +0200 Subject: [Openvas-discuss] [Openvas-devel] Discontinuing openvas-plugins tarball? In-Reply-To: <20090423081146.GB11585@intevation.de> References: <20090423081146.GB11585@intevation.de> Message-ID: <20090513074110.GF20025@intevation.de> Hello, first of all, a big thank you to everyone who has taken part in this discussion. Thanks a lot for your great ideas! I have tried to condense the discussion into a Change Request. Please take a look at the CR at http://www.openvas.org/openvas-cr-32.html and let me know if I missed or misunderstood anything. If there a no more issues with the CR, I'd like to start voting on this CR. Please reply to this mail on the list and indicate if you are in favor of this Change Request (+1), don't care (+/-0) or are against it (-1). Thank you! Feel free to contact me if you have any questions or suggestions. Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090513/d1aaf567/attachment.pgp From felix.wolfsteller at intevation.de Wed May 13 09:45:05 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Wed, 13 May 2009 09:45:05 +0200 Subject: [Openvas-discuss] [Openvas-devel] Discontinuing openvas-plugins tarball? In-Reply-To: <20090513074110.GF20025@intevation.de> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> Message-ID: <200905130945.05988.felix.wolfsteller@intevation.de> +1 On Wednesday 13 May 2009 09:41:10 Michael Wiegand wrote: > Hello, > > first of all, a big thank you to everyone who has taken part in this > discussion. Thanks a lot for your great ideas! > > I have tried to condense the discussion into a Change Request. Please > take a look at the CR at http://www.openvas.org/openvas-cr-32.html and > let me know if I missed or misunderstood anything. > > If there a no more issues with the CR, I'd like to start voting on this > CR. Please reply to this mail on the list and indicate if you are in > favor of this Change Request (+1), don't care (+/-0) or are against it > (-1). Thank you! > > Feel free to contact me if you have any questions or suggestions. > > Regards, > > Michael -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Wed May 13 10:13:52 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Wed, 13 May 2009 10:13:52 +0200 Subject: [Openvas-discuss] [Openvas-devel] Discontinuing openvas-plugins tarball? In-Reply-To: <20090513074110.GF20025@intevation.de> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> Message-ID: <200905131013.52692.jan-oliver.wagner@intevation.de> +1 -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Wed May 13 10:39:38 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Wed, 13 May 2009 14:09:38 +0530 Subject: [Openvas-discuss] [Openvas-plugins] [Openvas-devel] Discontinuing openvas-pluginstarball? In-Reply-To: <20090513074110.GF20025@intevation.de> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> Message-ID: +1 Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Michael Wiegand Sent: Wednesday, May 13, 2009 1:11 PM To: openvas-devel at wald.intevation.org; OpenVAS Discussion List; OpenVAS Plugins List Subject: Re: [Openvas-plugins] [Openvas-devel] Discontinuing openvas-pluginstarball? Hello, first of all, a big thank you to everyone who has taken part in this discussion. Thanks a lot for your great ideas! I have tried to condense the discussion into a Change Request. Please take a look at the CR at http://www.openvas.org/openvas-cr-32.html and let me know if I missed or misunderstood anything. If there a no more issues with the CR, I'd like to start voting on this CR. Please reply to this mail on the list and indicate if you are in favor of this Change Request (+1), don't care (+/-0) or are against it (-1). Thank you! Feel free to contact me if you have any questions or suggestions. Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From waja at cyconet.org Wed May 13 10:40:25 2009 From: waja at cyconet.org (Jan Wagner) Date: Wed, 13 May 2009 10:40:25 +0200 Subject: [Openvas-discuss] [Openvas-plugins] [Openvas-devel] Discontinuing openvas-plugins tarball? In-Reply-To: <20090513074110.GF20025@intevation.de> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> Message-ID: <200905131040.30385.waja@cyconet.org> openvas-cr-32++^H+1 On Wednesday 13 May 2009, Michael Wiegand wrote: > I have tried to condense the discussion into a Change Request. Please > take a look at the CR at http://www.openvas.org/openvas-cr-32.html and > let me know if I missed or misunderstood anything. With kind regards, Jan. -- Never write mail to , you have been warned! -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090513/7fc09c33/attachment.pgp From mime at gmx.de Wed May 13 11:01:42 2009 From: mime at gmx.de (Michael Meyer) Date: Wed, 13 May 2009 11:01:42 +0200 Subject: [Openvas-discuss] [Openvas-devel] Discontinuing openvas-plugins tarball? In-Reply-To: <20090513074110.GF20025@intevation.de> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> Message-ID: <20090513090142.GA2946@m2.homelinux.org> *** Michael Wiegand wrote: > If there a no more issues with the CR, I'd like to start voting on this > CR. Please reply to this mail on the list and indicate if you are in > favor of this Change Request (+1), don't care (+/-0) or are against it > (-1). Thank you! +1 Micha From jc at lacunae.org Wed May 13 11:08:23 2009 From: jc at lacunae.org (Jonathan Care) Date: Wed, 13 May 2009 10:08:23 +0100 Subject: [Openvas-discuss] [Openvas-devel] Discontinuing openvas-plugins tarball? In-Reply-To: <20090513090142.GA2946@m2.homelinux.org> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> <20090513090142.GA2946@m2.homelinux.org> Message-ID: <29b38bfb0905130208w50ece509r278108b5992d9713@mail.gmail.com> +1 On 5/13/09, Michael Meyer wrote: > *** Michael Wiegand wrote: >> If there a no more issues with the CR, I'd like to start voting on this >> CR. Please reply to this mail on the list and indicate if you are in >> favor of this Change Request (+1), don't care (+/-0) or are against it >> (-1). Thank you! > > +1 > > Micha > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > -- Sent from my mobile device From dcorcuera at dimartel.es Wed May 13 18:32:48 2009 From: dcorcuera at dimartel.es (David Corcuera) Date: Wed, 13 May 2009 18:32:48 +0200 Subject: [Openvas-discuss] Vulnerabilities detected in !packages not installed! In-Reply-To: <4A0993D0.2000700@securityspace.com> References: <4A099127.4050700@dimartel.es> <4A0993D0.2000700@securityspace.com> Message-ID: <4A0AF630.40702@dimartel.es> Hi list, It was my fault. dpkg -l and aptitude are not synchronized. It seems as though all these packages are installed. Thomas, Thanks for the tip dav Thomas Reinke escribi?: > Hi David, > > Could you give me some more details. Which tests have tripped > positive for starters. And if possible if it doesn't violate > your security policies, the resulting file after running the > command on the target system: > > COLUMNS=200 dpkg -l >/tmp/pkg.list > > Thomas > > David Corcuera wrote: >> Hi list, >> >> As 'Subject' says, a scan have found some vulnerabilities in packages >> not installed as openoffice.org, cups, avahi, xterm, ffmpeg-debian, >> iceweasel, ... and moe. >> Plugins chosen are Debian Local Security Checks. >> Can you give me a tip to investigate? >> >> Thanks >> dav >> >> _______________________________________________ >> Openvas-discuss mailing list >> Openvas-discuss at wald.intevation.org >> http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss >> > > From geoff at galitz.org Wed May 13 10:01:46 2009 From: geoff at galitz.org (Geoff Galitz) Date: Wed, 13 May 2009 10:01:46 +0200 Subject: [Openvas-discuss] [Openvas-devel] Discontinuing openvas-pluginstarball? In-Reply-To: <20090513074110.GF20025@intevation.de> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> Message-ID: <20B16ECBB2C348BEAACC23CB8296A63E@geoffPC> +1 --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/ From d.jagdmann at dn-systems.de Wed May 13 19:07:41 2009 From: d.jagdmann at dn-systems.de (Dirk Jagdmann) Date: Wed, 13 May 2009 10:07:41 -0700 Subject: [Openvas-discuss] [Openvas-devel] Discontinuing openvas-plugins tarball? In-Reply-To: <20090513074110.GF20025@intevation.de> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> Message-ID: <4A0AFE5D.1050306@dn-systems.de> +1 -- Dirk Jagdmann : Coder Tel. +49-5121-28989-15 -- DN-Systems Enterprise Internet Solutions GmbH Hornemannstr. 11 31137 Hildesheim, Germany Tel. +49-5121-28989-0 Fax. +49-5121-28989-11 Handelsregister HRB-3213 Amtsgericht Hildesheim Gesch?ftsf?hrer: Lukas Grunwald From christian.edjenguele at owasp.org Wed May 13 19:08:10 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Wed, 13 May 2009 19:08:10 +0200 Subject: [Openvas-discuss] [Openvas-devel] Discontinuing openvas-pluginstarball? In-Reply-To: <20B16ECBB2C348BEAACC23CB8296A63E@geoffPC> References: <20090423081146.GB11585@intevation.de> <20090513074110.GF20025@intevation.de> <20B16ECBB2C348BEAACC23CB8296A63E@geoffPC> Message-ID: <4A0AFE7A.8000803@owasp.org> +1 -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF -----END PGP PUBLIC KEY BLOCK----- From ekah at gmx.net Mon May 4 13:51:48 2009 From: ekah at gmx.net (Joerg Eckert) Date: Mon, 04 May 2009 13:51:48 +0200 Subject: [Openvas-discuss] ssh-check is always on In-Reply-To: <82E45D820ACE42F1A3F5D30B4D888E5B@bchandra> References: <20090504091206.97060@gmx.net> <200905041241.58660.felix.wolfsteller@intevation.de> <82E45D820ACE42F1A3F5D30B4D888E5B@bchandra> Message-ID: <20090504115148.19770@gmx.net> Hello I wrote (unfortunately) directly to Felix (sorry for that): If i open the report there is a light bulp and if i click on it there is the following information: ------- Reported by NVT "SSH Authorization" (1.3.6.1.4.1.25623.1.0.90022): It was not possible to login using the SSH credentials supplied. Hence local security checks is not enabled. ------- But, i dont want to check for SSH. And i couldnt find any hint where i implemented such a check. -> The plugins are all disabled (double checked now). 0 enabled. Target = 1 target, nothing special On general tab there is: Optimize test and Safe checks on. I scan for port range: 445,8081,9593, 9595 I tried portscanning with different portscanners (nmap, openvas etcpp). I also have a task for conficker only. But everytime it want to check for SSH and i can see this in the report. Its everytime the same result. regards Joerg Ive checked with and without selected silent - no difference. -------- Original-Nachricht -------- > Datum: Mon, 4 May 2009 16:45:58 +0530 > Von: "Chandrashekhar B" > An: "\'Felix Wolfsteller\'" , openvas-discuss at wald.intevation.org > CC: "\'Joerg Eckert\'" > Betreff: RE: [Openvas-discuss] ssh-check is always on > Joerg, > > By default, OpenVAS identifies all open ports and the corresponding > services > attached (plugin find_service.nes). In case you want these messages not to > appear, select "Silent" in "Plugins" section. > > Thanks, > Chandra. > > -----Original Message----- > From: openvas-discuss-bounces at wald.intevation.org > [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Felix > Wolfsteller > Sent: Monday, May 04, 2009 4:12 PM > To: openvas-discuss at wald.intevation.org > Cc: Joerg Eckert > Subject: Re: [Openvas-discuss] ssh-check is always on > > Hi Joerg > Might have to do with the selected port scanner (in the Options/General > tab). > Eventually it ignores the selection you provided. > Is there a message displayed if you select the 'ssh (22/tcp) ' item in the > report? > > -- felix > > On Monday 04 May 2009 11:12:06 Joerg Eckert wrote: > > Hello to all of you > > > > I have installed the newest openvas version and use the new linux > client. > > If i want to check a target i always receive in the report included a > ssh > > check. I dont want this, but i dont know where i could switch this off. > > > > Its not important if i only scan for explicit ports (all other stuff > > switched off (general, plugins, prefs) or if i do for example a > conficker > > scan. > > > > I receive a report but always with additional ssh (22/tcp) included > line. > > > > Please can you help me? > > > > If you need more information please tell me what you need. > > > > regards > > > > Joerg > > > > ps.: sorry for my english (my german is better :-) > > > -- > Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ > PGP Key: 39DE0100 > Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B > 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss f?r nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a From ekah at gmx.net Mon May 4 15:55:10 2009 From: ekah at gmx.net (Joerg Eckert) Date: Mon, 04 May 2009 15:55:10 +0200 Subject: [Openvas-discuss] ssh-check is always on In-Reply-To: <200905041400.09746.felix.wolfsteller@intevation.de> References: <20090504091206.97060@gmx.net> <200905041241.58660.felix.wolfsteller@intevation.de> <20090504114658.19780@gmx.net> <200905041400.09746.felix.wolfsteller@intevation.de> Message-ID: <20090504135510.93680@gmx.net> Hello > Could you turn off "Dependencies: Enable at runtime" in the plugin view > (where > 0 plugins are enabled)? Also switch off "Silent" if that was not yet the > case. Done for both (already done, only checked). > The SSH authorization script should indeed only be executed if you have > selected a script that depends on/includes it. ok, so we have to search for this problem. (remark: with my vmware-installation i have this problem too, and they are installed independently and not copied) > You can increase the verbosity of the openvasd.dump / openvasd.message > files > in your openvasd.conf (enable anything with "logging"). ok, there is not much of logging. openvasd.dump= SSH-DEBUG: Not setting login information for local check at x.x.x.x : No mapping found [16686]//usr/lib/openvas/plugins/hydra_options.nasl) script_get_preference_file_location: could not get local file name from preference Passwords file : openvasd.messages= [Mon May 4 15:44:19 2009][16671] user Eckert starts a new scan. Target(s) : 10.200.126.6, with max_hosts = 20 and max_checks = 6 [Mon May 4 15:44:19 2009][16671] user Eckert : testing (x.x.x.x) [16676] [Mon May 4 15:44:19 2009][16676] shared_socket: Secret/SSH/socket is unknown [Mon May 4 15:44:19 2009][16676] process_internal_msg for ssh_authorization.nasl returned -1 [Mon May 4 15:44:29 2009][16676] Finished testing x.x.x.x. Time : 10.22 secs [Mon May 4 15:44:29 2009][16671] user Eckert : test complete [Mon May 4 15:44:29 2009][16671] Total time to scan all hosts : 10 seconds [Mon May 4 15:44:29 2009][16671] user Eckert : Kept alive connection i used the newest client and server i can get from atomic. Running CentOS here. Client runs on the same machine (dont have a win client). Is there any other config i can check? some debug i can configure? (yes, server and client always restarted after config changes) regards Joerg -- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss f?r nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a From felix.wolfsteller at intevation.de Mon May 18 08:46:56 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Mon, 18 May 2009 08:46:56 +0200 Subject: [Openvas-discuss] ssh-check is always on In-Reply-To: <20090504135510.93680@gmx.net> References: <20090504091206.97060@gmx.net> <200905041400.09746.felix.wolfsteller@intevation.de> <20090504135510.93680@gmx.net> Message-ID: <200905180846.56325.felix.wolfsteller@intevation.de> Hi Joerg For completeness: Issue should be resolved after an openvas-nvt-sync and server restart (updated ssh_authorization.nasl). Please confirm. -- felix On Monday 04 May 2009 15:55:10 Joerg Eckert wrote: > Hello > > > Could you turn off "Dependencies: Enable at runtime" in the plugin view > > (where > > 0 plugins are enabled)? Also switch off "Silent" if that was not yet the > > case. > > Done for both (already done, only checked). > > > The SSH authorization script should indeed only be executed if you have > > selected a script that depends on/includes it. > > ok, so we have to search for this problem. (remark: with my > vmware-installation i have this problem too, and they are installed > independently and not copied) > > > You can increase the verbosity of the openvasd.dump / openvasd.message > > files > > in your openvasd.conf (enable anything with "logging"). > > ok, there is not much of logging. > > > openvasd.dump= > SSH-DEBUG: Not setting login information for local check at x.x.x.x : No > mapping found [16686]//usr/lib/openvas/plugins/hydra_options.nasl) > script_get_preference_file_location: could not get local file name from > preference Passwords file : > > > openvasd.messages= > [Mon May 4 15:44:19 2009][16671] user Eckert starts a new scan. Target(s) > : 10.200.126.6, with max_hosts = 20 and max_checks = 6 [Mon May 4 15:44:19 > 2009][16671] user Eckert : testing (x.x.x.x) [16676] [Mon May 4 15:44:19 > 2009][16676] shared_socket: Secret/SSH/socket is unknown [Mon May 4 > 15:44:19 2009][16676] process_internal_msg for ssh_authorization.nasl > returned -1 [Mon May 4 15:44:29 2009][16676] Finished testing x.x.x.x. > Time : 10.22 secs [Mon May 4 15:44:29 2009][16671] user Eckert : test > complete > [Mon May 4 15:44:29 2009][16671] Total time to scan all hosts : 10 seconds > [Mon May 4 15:44:29 2009][16671] user Eckert : Kept alive connection > > > i used the newest client and server i can get from atomic. Running CentOS > here. Client runs on the same machine (dont have a win client). > > Is there any other config i can check? some debug i can configure? > (yes, server and client always restarted after config changes) > > regards > Joerg -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From cshaffer at gmail.com Mon May 18 19:36:20 2009 From: cshaffer at gmail.com (Curt Shaffer) Date: Mon, 18 May 2009 13:36:20 -0400 Subject: [Openvas-discuss] SANS Top 20 Message-ID: <6d604c70905181036q23265c0i91ddf0037a1c3d65@mail.gmail.com> Is there an easy way that I am missing to choose to scan for the SANS Top 20 list only? If not has anyone created a scan option like this that they can share? Thanks Curt -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090518/811497ad/attachment.htm From bchandra at secpod.com Mon May 18 19:40:26 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Mon, 18 May 2009 23:10:26 +0530 Subject: [Openvas-discuss] SANS Top 20 In-Reply-To: <6d604c70905181036q23265c0i91ddf0037a1c3d65@mail.gmail.com> References: <6d604c70905181036q23265c0i91ddf0037a1c3d65@mail.gmail.com> Message-ID: <36A6ED37129043BFBCFE9A11FD847569@bchandra> Hello Curt, There's no existing profile for SANS Top 20. One could search all the CVE's from SANS Top 20 list inside the Plugins folder and create a scan profile based on that. Hopefully in future, we should start creating these important profiles. Thanks, Chandra. ________________________________________ From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Curt Shaffer Sent: Monday, May 18, 2009 11:06 PM To: openvas-discuss at wald.intevation.org Subject: [Openvas-discuss] SANS Top 20 Is there an easy way that I am missing to choose to scan for the SANS Top 20 list only? If not has anyone created a scan option like this that they can share? Thanks Curt From cshaffer at gmail.com Mon May 18 23:40:31 2009 From: cshaffer at gmail.com (Curt Shaffer) Date: Mon, 18 May 2009 17:40:31 -0400 Subject: [Openvas-discuss] SANS Top 20 In-Reply-To: <36A6ED37129043BFBCFE9A11FD847569@bchandra> References: <6d604c70905181036q23265c0i91ddf0037a1c3d65@mail.gmail.com> <36A6ED37129043BFBCFE9A11FD847569@bchandra> Message-ID: <004601c9d801$463dc530$d2b94f90$@com> OK. Thanks. Guess my next question is who out there has already written a Perl script to do this to save me some time :) -----Original Message----- From: Chandrashekhar B [mailto:bchandra at secpod.com] Sent: Monday, May 18, 2009 1:40 PM To: 'Curt Shaffer'; openvas-discuss at wald.intevation.org Subject: RE: [Openvas-discuss] SANS Top 20 Hello Curt, There's no existing profile for SANS Top 20. One could search all the CVE's from SANS Top 20 list inside the Plugins folder and create a scan profile based on that. Hopefully in future, we should start creating these important profiles. Thanks, Chandra. ________________________________________ From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Curt Shaffer Sent: Monday, May 18, 2009 11:06 PM To: openvas-discuss at wald.intevation.org Subject: [Openvas-discuss] SANS Top 20 Is there an easy way that I am missing to choose to scan for the SANS Top 20 list only? If not has anyone created a scan option like this that they can share? Thanks Curt From geoff at galitz.org Tue May 19 09:52:34 2009 From: geoff at galitz.org (Geoff Galitz) Date: Tue, 19 May 2009 09:52:34 +0200 Subject: [Openvas-discuss] SANS Top 20 + NASL tracking DB In-Reply-To: <004601c9d801$463dc530$d2b94f90$@com> References: <6d604c70905181036q23265c0i91ddf0037a1c3d65@mail.gmail.com><36A6ED37129043BFBCFE9A11FD847569@bchandra> <004601c9d801$463dc530$d2b94f90$@com> Message-ID: <41B17D0DAEC24C8EB6A72C2F0ECEC87F@geoffPC> I have been contemplating putting together a web accessible database to catalogue nasl files and related files. Any recognizable property would be included in the db. For example: - descriptions - CVE identifiers - vendor specific identifiers - is this a local or remote check? - script family - and so on... Perhaps adding a text search for the nasl scripts is good idea, too. Particularly if you are not exactly clear on what you are looking for as a developer or user or if you need to identify certain functions or system calls in the event they are deprecated and need to change to remain compatible (speaking from past experience). This is relevant for the Top20 discussion because a filter could be implemented pretty easily to identify these vulnerabilities and create an up-to-date scanning profile. I currently don't have a lot of time to devote to new projects at this moment, but if folks think this would be useful (and not redundant) I'd explore doing this. If someone out there would be willing to fund such a project... then I could certainly move it up the list of priorities. I welcome all thoughts. -geoff --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/ > -----Original Message----- > From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss- > bounces at wald.intevation.org] On Behalf Of Curt Shaffer > Sent: Montag, 18. Mai 2009 23:41 > To: 'Chandrashekhar B'; openvas-discuss at wald.intevation.org > Subject: Re: [Openvas-discuss] SANS Top 20 > > OK. Thanks. Guess my next question is who out there has already written a > Perl script to do this to save me some time :) > > -----Original Message----- > From: Chandrashekhar B [mailto:bchandra at secpod.com] > Sent: Monday, May 18, 2009 1:40 PM > To: 'Curt Shaffer'; openvas-discuss at wald.intevation.org > Subject: RE: [Openvas-discuss] SANS Top 20 > > Hello Curt, > > There's no existing profile for SANS Top 20. One could search all the > CVE's > from SANS Top 20 list inside the Plugins folder and create a scan profile > based on that. > > Hopefully in future, we should start creating these important profiles. > > Thanks, > Chandra. > > ________________________________________ > From: openvas-discuss-bounces at wald.intevation.org > [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Curt > Shaffer > Sent: Monday, May 18, 2009 11:06 PM > To: openvas-discuss at wald.intevation.org > Subject: [Openvas-discuss] SANS Top 20 > > Is there an easy way that I am missing to choose to scan for the SANS Top > 20 > list only? If not has anyone created a scan option like this that they can > share? > > Thanks > > Curt > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From jan-oliver.wagner at intevation.de Tue May 19 11:02:56 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Tue, 19 May 2009 11:02:56 +0200 Subject: [Openvas-discuss] Dropping hydra support In-Reply-To: <200905111632.54312.hans.ullrich@loop.de> References: <200905111612.27260.jan-oliver.wagner@intevation.de> <200905111632.54312.hans.ullrich@loop.de> Message-ID: <200905191102.58602.jan-oliver.wagner@intevation.de> On Montag, 11. Mai 2009, Hans-J. Ullrich wrote: > Am Montag 11 Mai 2009 schrieb Jan-Oliver Wagner: > > we have a couple of NVTs that wrap the tool "hydra" > > (http://freeworld.thc.org/thc-hydra/). > > > > Besides from being slightly out of date, I realized that this tool isn't > > Free Software. In fact is says its GNU GPL and has some additional clauses. > > Those clauses prevent the "use for any purpose", basically its some limits > > on commercial aspects. I checked back with the authors and was confirmed > > that this is not but chance but rather by intention. > > > > (This explains also why hydra has been removed from Debian a while ago). > > > > I would have preferred even a tighter integration with hydra, because it is > > light-weight and fast. > > However, as things are, IMHO we have no other choice than to remove the > > hydra NVTs as people might unintendingly violate the license of hydra. > > > > Any concerns or other comments? > Hi Jan, > > this is indeed a pity! I suggest, to add thc-hydra as a module, so the user is > able and can decide, to use or drop it to his purposes. > > If you do not include hydra into openvas directly, but as an optional addon, > the user may install it (either self-compiled or as a package) or not. > > Doing so, there is no problem using hydra in openvas. my strong preference is to through the hydra scripts out of OpenVAS repository. They only call for trouble, one way or another. Ideally, the hydra package should maintain the NASL scripts. IMHO, OpenVAS should strictly focus on using Free Software only. > Looking at the required NVT's, I suggest to add a NVT-repository "non-free" > for those NVT's, as I think, the same problem will face us again, not only > with hydra. I am strictly against a "non-free" area. This would be an explicit invitation to people doing not-so-free stuff with OpenVAS, which IMHO is a strategic disadvantage for OpenVAS. Is there any user out there who applies hydra via OpenVAS? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Tue May 19 16:40:15 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Tue, 19 May 2009 16:40:15 +0200 Subject: [Openvas-discuss] SANS Top 20 + NASL tracking DB In-Reply-To: <41B17D0DAEC24C8EB6A72C2F0ECEC87F@geoffPC> References: <6d604c70905181036q23265c0i91ddf0037a1c3d65@mail.gmail.com> <004601c9d801$463dc530$d2b94f90$@com> <41B17D0DAEC24C8EB6A72C2F0ECEC87F@geoffPC> Message-ID: <200905191640.19951.jan-oliver.wagner@intevation.de> On Dienstag, 19. Mai 2009, Geoff Galitz wrote: > I have been contemplating putting together a web accessible database to > catalogue nasl files and related files. Any recognizable property would be > included in the db. For example: > > - descriptions > - CVE identifiers > - vendor specific identifiers > - is this a local or remote check? > - script family > - and so on... I was planning already a sqlite-based DB for this with the intention to replace the cache files. Of course the same DB could be used on the client-side as well :-) > Perhaps adding a text search for the nasl scripts is good idea, too. > Particularly if you are not exactly clear on what you are looking for as a > developer or user or if you need to identify certain functions or system > calls in the event they are deprecated and need to change to remain > compatible (speaking from past experience). SQL would deliver all the search methods you dream of ;-) > This is relevant for the Top20 discussion because a filter could be > implemented pretty easily to identify these vulnerabilities and create an > up-to-date scanning profile. I don't think SANS Top 20 is something to solve with scan profiles. I rather think of a NASL skript to coordinate the SANS Top 20. Greenbone implemented a prototype for this method for the german GSHB already. > I currently don't have a lot of time to devote to new projects at this > moment, but if folks think this would be useful (and not redundant) I'd > explore doing this. If someone out there would be willing to fund such a > project... then I could certainly move it up the list of priorities. I'd be interested in gathering a small team to work on the sqlite DB approach :-) However, first we need a good data model. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Wed May 20 08:53:49 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Wed, 20 May 2009 12:23:49 +0530 Subject: [Openvas-discuss] Voting CR #23 - Script Family standardization Message-ID: <26F2213FD2F44F19BAEAB99FD6404B23@bchandra> Hello All, The following CR, http://www.openvas.org/openvas-cr-23.html has been there for quiet sometime, think it is time to go for voting. Please vote +1 if we could go for the changes suggested in the CR. Thanks, Chandra. From mime at gmx.de Wed May 20 10:36:38 2009 From: mime at gmx.de (Michael Meyer) Date: Wed, 20 May 2009 10:36:38 +0200 Subject: [Openvas-discuss] Voting CR #23 - Script Family standardization In-Reply-To: <26F2213FD2F44F19BAEAB99FD6404B23@bchandra> References: <26F2213FD2F44F19BAEAB99FD6404B23@bchandra> Message-ID: <20090520083638.GB2641@m2.homelinux.org> *** Chandrashekhar B wrote: > The following CR, http://www.openvas.org/openvas-cr-23.html has been there > for quiet sometime, think it is time to go for voting. Please vote +1 if we > could go for the changes suggested in the CR. +1 Micha From felix.wolfsteller at intevation.de Wed May 20 12:57:38 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Wed, 20 May 2009 12:57:38 +0200 Subject: [Openvas-discuss] [Openvas-plugins] Voting CR #23 - Script Family standardization In-Reply-To: <26F2213FD2F44F19BAEAB99FD6404B23@bchandra> References: <26F2213FD2F44F19BAEAB99FD6404B23@bchandra> Message-ID: <200905201257.38367.felix.wolfsteller@intevation.de> +1 -- felix On Wednesday 20 May 2009 08:53:49 Chandrashekhar B wrote: > Hello All, > > The following CR, http://www.openvas.org/openvas-cr-23.html has been there > for quiet sometime, think it is time to go for voting. Please vote +1 if we > could go for the changes suggested in the CR. > > Thanks, > Chandra. > > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jandradas at gmv.com Wed May 20 13:26:57 2009 From: jandradas at gmv.com (Jonas Andradas Arias) Date: Wed, 20 May 2009 13:26:57 +0200 Subject: [Openvas-discuss] [Openvas-plugins] Voting CR #23 - Script Family standardization In-Reply-To: <200905201257.38367.felix.wolfsteller@intevation.de> References: <26F2213FD2F44F19BAEAB99FD6404B23@bchandra>, <200905201257.38367.felix.wolfsteller@intevation.de> Message-ID: +1 ________________________________________ From: openvas-discuss-bounces at wald.intevation.org [openvas-discuss-bounces at wald.intevation.org] On Behalf Of Felix Wolfsteller [felix.wolfsteller at intevation.de] Sent: Wednesday, May 20, 2009 12:57 PM To: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] [Openvas-plugins] Voting CR #23 - Script Family standardization +1 -- felix On Wednesday 20 May 2009 08:53:49 Chandrashekhar B wrote: > Hello All, > > The following CR, http://www.openvas.org/openvas-cr-23.html has been there > for quiet sometime, think it is time to go for voting. Please vote +1 if we > could go for the changes suggested in the CR. > > Thanks, > Chandra. > > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss ______________________ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. ______________________ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. ______________________ From bchandra at secpod.com Wed May 20 15:29:24 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Wed, 20 May 2009 18:59:24 +0530 Subject: [Openvas-discuss] Updated CR #25 - WMI Implementation Message-ID: <75A85F34A6814A72BAFC0F5D2F7ADB58@bchandra> Hello, I have updated CR #25 - OpenVAS-libnasl: Introducing support for WMI http://www.openvas.org/openvas-cr-25.html Please review and let me know if you have any questions, feedback. I would like to put this for voting if there are no comments or concerns. Thanks, Chandra. From christian.edjenguele at owasp.org Wed May 20 19:24:37 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Wed, 20 May 2009 19:24:37 +0200 Subject: [Openvas-discuss] Voting CR #23 - Script Family standardization In-Reply-To: <20090520083638.GB2641@m2.homelinux.org> References: <26F2213FD2F44F19BAEAB99FD6404B23@bchandra> <20090520083638.GB2641@m2.homelinux.org> Message-ID: <4A143CD5.10803@owasp.org> +1 -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF -----END PGP PUBLIC KEY BLOCK----- From jan-oliver.wagner at intevation.de Fri May 22 09:21:18 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 22 May 2009 09:21:18 +0200 Subject: [Openvas-discuss] Updated CR #25 - WMI Implementation In-Reply-To: <75A85F34A6814A72BAFC0F5D2F7ADB58@bchandra> References: <75A85F34A6814A72BAFC0F5D2F7ADB58@bchandra> Message-ID: <200905220921.20561.jan-oliver.wagner@intevation.de> On Mittwoch, 20. Mai 2009, Chandrashekhar B wrote: > I have updated CR #25 - OpenVAS-libnasl: Introducing support for WMI > http://www.openvas.org/openvas-cr-25.html > > Please review and let me know if you have any questions, feedback. I would > like to put this for voting if there are no comments or concerns. In principle, this is a very good approach. Unfortuntely the wmi stuff has been removed from Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523638, The licensing stuff could cause some trouble to OpenVAS. Relying on wmi-client should only be done if its genereally available. Think we should investigate this aspect further. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Fri May 22 10:18:28 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 22 May 2009 13:48:28 +0530 Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support Message-ID: Hello, The CR #27 is finalized and we would like to now take this for implementation. Please vote +1 if we could go for the changes suggested in the CR. Thanks, Chandra. From michael.wiegand at intevation.de Fri May 22 10:19:39 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Fri, 22 May 2009 10:19:39 +0200 Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support In-Reply-To: References: Message-ID: <20090522081939.GF1641@intevation.de> * Chandrashekhar B [22. May 2009]: > > Hello, > > The CR #27 is finalized and we would like to now take this for > implementation. Please vote +1 if we could go for the changes suggested in > the CR. +1. Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090522/f790603e/attachment.pgp From hans.ullrich at loop.de Fri May 22 13:06:41 2009 From: hans.ullrich at loop.de (Hans-J. Ullrich) Date: Fri, 22 May 2009 13:06:41 +0200 Subject: [Openvas-discuss] openvas on PDA Message-ID: <200905221306.42121.hans.ullrich@loop.de> Hi all, just a suggestion: What do you think of an openvas-client on a PDA like the Sharp Zaurus (running Angstrom, see http://www.angstrom-distribution.org) or any other PDA running linux (and maybe Windows)? I am using a Sharp Zaurus SL-C1000 with lots of tools on it (nmap, wireshark, kismet and so on), but I miss openvas. There was a nessus-client in the past, but it is no more running, due to changed libs. I think, there are already openvas-packages for strong arm available in debian, so transportation might be easy for developers. To port an openvas-server IMO is not such good idea, as the openvas-server might run too slow on such hardware. Well, just an idea, maybe you like it, running openvas on a PDA and get connected to an openvas-server with it. Cheers Hans-J. Ullrich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090522/113da120/attachment.html From c_edjenguele at yahoo.it Fri May 22 13:07:18 2009 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Fri, 22 May 2009 11:07:18 +0000 (GMT) Subject: [Openvas-discuss] Introducing support for WMI In-Reply-To: References: Message-ID: <320338.39311.qm@web28606.mail.ukl.yahoo.com> Hello all, I've successfully used impacket from core security, it is an open source project but released under a apache-like license. The following protocols are featured in Impacket * Ethernet, Linux "Cooked" capture. * IP, TCP, UDP, ICMP, IGMP, ARP. * NMB and SMB (high-level implementations). * DCE/RPC versions 4 and 5, over different transports: UDP (version 4 exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP. * Multiple ways of doing SMB tree_connect, file open, read, write. * SMB "fragmentation", SMB AndX command chaining. * Plain, NT and LM v1 authentications, using password and hashes only. * Portions of the following DCE/RPC interfaces: Conv, DCOM, EPM, SAMR, SvcCtl, WinReg. * DCERPC Alternate contexts, Multi-bind requests, Endianness selection * DCERPC NT and LM v1 authentication, integrity checking and encryption. * DCERPC v4 and v5 fragmentation, DCERPC v4 idempotent requests.this can also be replacement of smb_nt.inc function (and can resolve the bug 779). But does it make sense integrate python in OpenVAS ? I think it's time to build OpenVAS upon a powerful and flexible object-oriented language, python is good candidate.he _winreg module ( renamed to winreg in Python 3.0. ) provide windows registry access. For your information, I already have all smb related function implemented in python. You can refer to the official web site for more details: http://www.coresecurity.com/content/open-source-projects#Impacket Best. --- Christian Eric Edjenguele IT Security Software Developer & Researcher / Business Developer / Enterprise Software Architect mobile (IT): +39 3408580513 ----- Messaggio originale ----- > Da: "openvas-discuss-request at wald.intevation.org" > A: openvas-discuss at wald.intevation.org > Inviato: Venerd? 22 maggio 2009, 12:00:02 > Oggetto: Openvas-discuss Digest, Vol 28, Issue 20 > > Send Openvas-discuss mailing list submissions to > openvas-discuss at wald.intevation.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > or, via email, send a message with subject or body 'help' to > openvas-discuss-request at wald.intevation.org > > You can reach the person managing the list at > openvas-discuss-owner at wald.intevation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Openvas-discuss digest..." > > > Today's Topics: > > 1. Re: Updated CR #25 - WMI Implementation (Jan-Oliver Wagner) > 2. Voting: CR #27 - IPv6 support (Chandrashekhar B) > 3. Re: Voting: CR #27 - IPv6 support (Michael Wiegand) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 22 May 2009 09:21:18 +0200 > From: "Jan-Oliver Wagner" > Subject: Re: [Openvas-discuss] Updated CR #25 - WMI Implementation > To: openvas-discuss at wald.intevation.org > Message-ID: <200905220921.20561.jan-oliver.wagner at intevation.de> > Content-Type: Text/Plain; charset="iso-8859-1" > > On Mittwoch, 20. Mai 2009, Chandrashekhar B wrote: > > I have updated CR #25 - OpenVAS-libnasl: Introducing support for WMI > > http://www.openvas.org/openvas-cr-25.html > > > > Please review and let me know if you have any questions, feedback. I would > > like to put this for voting if there are no comments or concerns. > > In principle, this is a very good approach. > Unfortuntely the wmi stuff has been removed from Debian: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523638, > > The licensing stuff could cause some trouble to OpenVAS. > Relying on wmi-client should only be done if its genereally available. > > Think we should investigate this aspect further. > > Best > > Jan > > -- > Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ > Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > > > ------------------------------ > > Message: 2 > Date: Fri, 22 May 2009 13:48:28 +0530 > From: "Chandrashekhar B" > Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support > To: > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > > Hello, > > The CR #27 is finalized and we would like to now take this for > implementation. Please vote +1 if we could go for the changes suggested in > the CR. > > Thanks, > Chandra. > > > > > ------------------------------ > > Message: 3 > Date: Fri, 22 May 2009 10:19:39 +0200 > From: Michael Wiegand > Subject: Re: [Openvas-discuss] Voting: CR #27 - IPv6 support > To: openvas-discuss at wald.intevation.org > Message-ID: <20090522081939.GF1641 at intevation.de> > Content-Type: text/plain; charset="iso-8859-15" > > * Chandrashekhar B [22. May 2009]: > > > > Hello, > > > > The CR #27 is finalized and we would like to now take this for > > implementation. Please vote +1 if we could go for the changes suggested in > > the CR. > > +1. > > Regards, > > Michael > > -- > Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de > Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 198 bytes > Desc: not available > Url : > http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090522/f790603e/attachment-0001.pgp > > ------------------------------ > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > > > End of Openvas-discuss Digest, Vol 28, Issue 20 > *********************************************** From Jan-Oliver.Wagner at greenbone.net Fri May 22 15:58:04 2009 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Fri, 22 May 2009 15:58:04 +0200 Subject: [Openvas-discuss] openvas on PDA In-Reply-To: <200905221306.42121.hans.ullrich@loop.de> References: <200905221306.42121.hans.ullrich@loop.de> Message-ID: <200905221558.06181.Jan-Oliver.Wagner@greenbone.net> On Freitag, 22. Mai 2009, Hans-J. Ullrich wrote: > just a suggestion: What do you think of an openvas-client on a PDA like the > Sharp Zaurus (running Angstrom, see http://www.angstrom-distribution.org) or > any other PDA running linux (and maybe Windows)? > > I am using a Sharp Zaurus SL-C1000 with lots of tools on it (nmap, wireshark, > kismet and so on), but I miss openvas. There was a nessus-client in the past, > but it is no more running, due to changed libs. > > I think, there are already openvas-packages for strong arm available in > debian, so transportation might be easy for developers. > > To port an openvas-server IMO is not such good idea, as the openvas-server > might run too slow on such hardware. > > Well, just an idea, maybe you like it, running openvas on a PDA and get > connected to an openvas-server with it. quite some time ago, just out of curosity and while sitting in a train, I build the GTK client for my Zaurus 860. The biggest problem is that the PDA displays are so small and the GTK client isn't optimized for size at all. So its no real fun using it. I rather prefer to wait for a nice web client :-) Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 202460 Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From hans.ullrich at loop.de Fri May 22 16:10:08 2009 From: hans.ullrich at loop.de (Hans-J. Ullrich) Date: Fri, 22 May 2009 16:10:08 +0200 Subject: [Openvas-discuss] openvas on PDA In-Reply-To: <200905221558.06181.Jan-Oliver.Wagner@greenbone.net> References: <200905221306.42121.hans.ullrich@loop.de> <200905221558.06181.Jan-Oliver.Wagner@greenbone.net> Message-ID: <200905221610.08365.hans.ullrich@loop.de> Am Freitag 22 Mai 2009 schrieb Jan-Oliver Wagner: > On Freitag, 22. Mai 2009, Hans-J. Ullrich wrote: > > just a suggestion: What do you think of an openvas-client on a PDA like > > the Sharp Zaurus (running Angstrom, see > > http://www.angstrom-distribution.org) or any other PDA running linux (and > > maybe Windows)? > > > > I am using a Sharp Zaurus SL-C1000 with lots of tools on it (nmap, > > wireshark, kismet and so on), but I miss openvas. There was a > > nessus-client in the past, but it is no more running, due to changed > > libs. > > > > I think, there are already openvas-packages for strong arm available in > > debian, so transportation might be easy for developers. > > > > To port an openvas-server IMO is not such good idea, as the > > openvas-server might run too slow on such hardware. > > > > Well, just an idea, maybe you like it, running openvas on a PDA and get > > connected to an openvas-server with it. > > quite some time ago, just out of curosity and while sitting in a train, I > build the GTK client for my Zaurus 860. The biggest problem > is that the PDA displays are so small and the GTK client isn't optimized > for size at all. So its no real fun using it. > > I rather prefer to wait for a nice web client :-) > > Best > > Jan Oh yes, I see. Well with a resolution of 640x480 this might be really no fun to use it. What browser for that is in your mind? I saw none, which did really grab me. Just as you said: the small display. Maybe "Dillo2" seems a good solution, although it lacks of java. Firefox, minimo, gpe-minibrowser got the same problem. Opera is not running in Anstrom, and Konqueror (my second favbourite one), needs opie (better say: qt4). Anyway, I am looking forward to it, and you will get my feedback as soon as it is out. Promised! Cheers Hans-J. Ullrich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090522/64888627/attachment.htm From christian.edjenguele at owasp.org Fri May 22 21:19:07 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Fri, 22 May 2009 21:19:07 +0200 Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support In-Reply-To: <20090522081939.GF1641@intevation.de> References: <20090522081939.GF1641@intevation.de> Message-ID: <4A16FAAB.7050902@owasp.org> +1 -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF -----END PGP PUBLIC KEY BLOCK----- From Jan-Oliver.Wagner at greenbone.net Sun May 24 21:20:40 2009 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Sun, 24 May 2009 21:20:40 +0200 Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support In-Reply-To: References: Message-ID: <200905242120.40534.Jan-Oliver.Wagner@greenbone.net> On Friday 22 May 2009 10:18:28 Chandrashekhar B wrote: > The CR #27 is finalized and we would like to now take this for > implementation. Please vote +1 if we could go for the changes suggested in > the CR. +1 -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck AG Osnabr?ck, HR B 202460 | Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From felix.wolfsteller at intevation.de Mon May 25 09:34:17 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Mon, 25 May 2009 09:34:17 +0200 Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support In-Reply-To: References: Message-ID: <200905250934.17904.felix.wolfsteller@intevation.de> +1 --felix On Friday 22 May 2009 10:18:28 Chandrashekhar B wrote: > Hello, > > The CR #27 is finalized and we would like to now take this for > implementation. Please vote +1 if we could go for the changes suggested in > the CR. > > Thanks, > Chandra. > > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From hans.ullrich at loop.de Mon May 25 09:46:00 2009 From: hans.ullrich at loop.de (Hans-J. Ullrich) Date: Mon, 25 May 2009 09:46:00 +0200 Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support In-Reply-To: <200905250934.17904.felix.wolfsteller@intevation.de> References: <200905250934.17904.felix.wolfsteller@intevation.de> Message-ID: <200905250946.01168.hans.ullrich@loop.de> Although I am no coder, I like it. +1 > > The CR #27 is finalized and we would like to now take this for > > implementation. Please vote +1 if we could go for the changes suggested > > in the CR. > > > > Thanks, > > Chandra. > > > > > > _______________________________________________ > > Openvas-discuss mailing list > > Openvas-discuss at wald.intevation.org > > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090525/1833e24e/attachment.htm From mime at gmx.de Mon May 25 10:41:03 2009 From: mime at gmx.de (Michael Meyer) Date: Mon, 25 May 2009 10:41:03 +0200 Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support In-Reply-To: References: Message-ID: <20090525084103.GA3128@m2.homelinux.org> +1 Micha From mcd at kanjisoft.com Tue May 26 04:06:53 2009 From: mcd at kanjisoft.com (mcd@kanjisoft.com) Date: Mon, 25 May 2009 20:06:53 -0600 (MDT) Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support In-Reply-To: <20090525084103.GA3128@m2.homelinux.org> References: <20090525084103.GA3128@m2.homelinux.org> Message-ID: <1336.24.91.169.167.1243303613.squirrel@box512.bluehost.com> +1 -mcd From bchandra at secpod.com Tue May 26 09:56:30 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Tue, 26 May 2009 13:26:30 +0530 Subject: [Openvas-discuss] Introducing support for WMI In-Reply-To: <320338.39311.qm@web28606.mail.ukl.yahoo.com> References: <320338.39311.qm@web28606.mail.ukl.yahoo.com> Message-ID: <864F526EA85444F08488B599794D7B7A@bchandra> Hello Christian, Impacket is a nice idea, we should at least consider using it for SMB packet crafting purposes. But, OpenVAS has to be extended to use this Python library. We could discuss this in DevCon #2. I am not sure about Python replacement, probably a better option than NASL. We need a separate CR for that :) Thanks, Chandra. -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Christian Eric EDJENGUELE Sent: Friday, May 22, 2009 4:37 PM To: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] Introducing support for WMI Hello all, I've successfully used impacket from core security, it is an open source project but released under a apache-like license. The following protocols are featured in Impacket * Ethernet, Linux "Cooked" capture. * IP, TCP, UDP, ICMP, IGMP, ARP. * NMB and SMB (high-level implementations). * DCE/RPC versions 4 and 5, over different transports: UDP (version 4 exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP. * Multiple ways of doing SMB tree_connect, file open, read, write. * SMB "fragmentation", SMB AndX command chaining. * Plain, NT and LM v1 authentications, using password and hashes only. * Portions of the following DCE/RPC interfaces: Conv, DCOM, EPM, SAMR, SvcCtl, WinReg. * DCERPC Alternate contexts, Multi-bind requests, Endianness selection * DCERPC NT and LM v1 authentication, integrity checking and encryption. * DCERPC v4 and v5 fragmentation, DCERPC v4 idempotent requests.this can also be replacement of smb_nt.inc function (and can resolve the bug 779). But does it make sense integrate python in OpenVAS ? I think it's time to build OpenVAS upon a powerful and flexible object-oriented language, python is good candidate.he _winreg module ( renamed to winreg in Python 3.0. ) provide windows registry access. For your information, I already have all smb related function implemented in python. You can refer to the official web site for more details: http://www.coresecurity.com/content/open-source-projects#Impacket Best. --- Christian Eric Edjenguele IT Security Software Developer & Researcher / Business Developer / Enterprise Software Architect mobile (IT): +39 3408580513 ----- Messaggio originale ----- > Da: "openvas-discuss-request at wald.intevation.org" > A: openvas-discuss at wald.intevation.org > Inviato: Venerd? 22 maggio 2009, 12:00:02 > Oggetto: Openvas-discuss Digest, Vol 28, Issue 20 > > Send Openvas-discuss mailing list submissions to > openvas-discuss at wald.intevation.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > or, via email, send a message with subject or body 'help' to > openvas-discuss-request at wald.intevation.org > > You can reach the person managing the list at > openvas-discuss-owner at wald.intevation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Openvas-discuss digest..." > > > Today's Topics: > > 1. Re: Updated CR #25 - WMI Implementation (Jan-Oliver Wagner) > 2. Voting: CR #27 - IPv6 support (Chandrashekhar B) > 3. Re: Voting: CR #27 - IPv6 support (Michael Wiegand) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 22 May 2009 09:21:18 +0200 > From: "Jan-Oliver Wagner" > Subject: Re: [Openvas-discuss] Updated CR #25 - WMI Implementation > To: openvas-discuss at wald.intevation.org > Message-ID: <200905220921.20561.jan-oliver.wagner at intevation.de> > Content-Type: Text/Plain; charset="iso-8859-1" > > On Mittwoch, 20. Mai 2009, Chandrashekhar B wrote: > > I have updated CR #25 - OpenVAS-libnasl: Introducing support for WMI > > http://www.openvas.org/openvas-cr-25.html > > > > Please review and let me know if you have any questions, feedback. I would > > like to put this for voting if there are no comments or concerns. > > In principle, this is a very good approach. > Unfortuntely the wmi stuff has been removed from Debian: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523638, > > The licensing stuff could cause some trouble to OpenVAS. > Relying on wmi-client should only be done if its genereally available. > > Think we should investigate this aspect further. > > Best > > Jan > > -- > Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ > Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > > > ------------------------------ > > Message: 2 > Date: Fri, 22 May 2009 13:48:28 +0530 > From: "Chandrashekhar B" > Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support > To: > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > > Hello, > > The CR #27 is finalized and we would like to now take this for > implementation. Please vote +1 if we could go for the changes suggested in > the CR. > > Thanks, > Chandra. > > > > > ------------------------------ > > Message: 3 > Date: Fri, 22 May 2009 10:19:39 +0200 > From: Michael Wiegand > Subject: Re: [Openvas-discuss] Voting: CR #27 - IPv6 support > To: openvas-discuss at wald.intevation.org > Message-ID: <20090522081939.GF1641 at intevation.de> > Content-Type: text/plain; charset="iso-8859-15" > > * Chandrashekhar B [22. May 2009]: > > > > Hello, > > > > The CR #27 is finalized and we would like to now take this for > > implementation. Please vote +1 if we could go for the changes suggested in > > the CR. > > +1. > > Regards, > > Michael > > -- > Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de > Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 198 bytes > Desc: not available > Url : > http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090 522/f790603e/attachment-0001.pgp > > ------------------------------ > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > > > End of Openvas-discuss Digest, Vol 28, Issue 20 > *********************************************** _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From mime at gmx.de Tue May 26 10:32:22 2009 From: mime at gmx.de (Michael Meyer) Date: Tue, 26 May 2009 10:32:22 +0200 Subject: [Openvas-discuss] Introducing support for WMI In-Reply-To: <864F526EA85444F08488B599794D7B7A@bchandra> References: <320338.39311.qm@web28606.mail.ukl.yahoo.com> <864F526EA85444F08488B599794D7B7A@bchandra> Message-ID: <20090526083222.GA3391@m2.homelinux.org> *** Chandrashekhar B wrote: > I am not sure about Python replacement, probably a better option than NASL. s/python/perl/ an i will vote +1. ;-) But this is AFAIK an old discussion... http://www.virtualblueness.net/nasl.html#tth_sEc1.3 Micha From thomas.jones at maitreyasecurity.com Tue May 26 17:43:24 2009 From: thomas.jones at maitreyasecurity.com (Thomas R. Jones) Date: Tue, 26 May 2009 10:43:24 -0500 Subject: [Openvas-discuss] Formal body of knowledge? Message-ID: <0CD851B2-4939-4A89-A42F-CFE53613B3D1@maitreyasecurity.com> Hello all, I have been following the openvas community for some time as a silent observer. I'd like to know if there is a formal constraint for CR processing. Seemingly a developer feels as though a particular CR needs implementation than a he/she initiates a "vote". A project of such importance and structure should be formally represented and maintained. This renders this project in a less than professional and exemplary light----which it deserves. I present my recommendation that CRs are processed formally. I would further present my belief that these transitions be in accordance with recognized software development life cycle analysis and design techniques. I may construct and present a recommended SDLC implementation at your request. Thank you all for your time and effort. Thomas Jones Sent from my iPhone From Jan-Oliver.Wagner at greenbone.net Tue May 26 20:17:20 2009 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Tue, 26 May 2009 20:17:20 +0200 Subject: [Openvas-discuss] Formal body of knowledge? In-Reply-To: <0CD851B2-4939-4A89-A42F-CFE53613B3D1@maitreyasecurity.com> References: <0CD851B2-4939-4A89-A42F-CFE53613B3D1@maitreyasecurity.com> Message-ID: <200905262017.21102.Jan-Oliver.Wagner@greenbone.net> On Tuesday 26 May 2009 17:43:24 Thomas R. Jones wrote: > I have been following the openvas community for some time as a silent > observer. I'd like to know if there is a formal constraint for CR > processing. Seemingly a developer feels as though a particular CR > needs implementation than a he/she initiates a "vote". A project of > such importance and structure should be formally represented and > maintained. This renders this project in a less than professional and > exemplary light----which it deserves. the change request procedure works well now for 32 items. Though not 100% specified, the process helps and does not get in the way. I regard it quite professional to document major changes in the way we do. Only few Free Software projects do this. > I present my recommendation that CRs are processed formally. I would > further present my belief that these transitions be in accordance with > recognized software development life cycle analysis and design > techniques. Good proposals are welcome. Please keep in mind that they need to be doable in practice when designing a new process. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck AG Osnabr?ck, HR B 202460 | Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From christian.edjenguele at owasp.org Tue May 26 22:59:15 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Tue, 26 May 2009 22:59:15 +0200 Subject: [Openvas-discuss] Introducing support for WMI In-Reply-To: <864F526EA85444F08488B599794D7B7A@bchandra> References: <320338.39311.qm@web28606.mail.ukl.yahoo.com> <864F526EA85444F08488B599794D7B7A@bchandra> Message-ID: <4A1C5823.3000805@owasp.org> Chandrashekhar B wrote: > Hello Christian, > > Impacket is a nice idea, we should at least consider using it for SMB packet > crafting purposes. But, OpenVAS has to be extended to use this Python > library. We could discuss this in DevCon #2. perfect > > I am not sure about Python replacement, probably a better option than NASL. > We need a separate CR for that :) I know that NASL is optimized for nessus (and then OpenVAS too) but pytrhon offer more funtionalities Best. > > Thanks, > Chandra. > > -----Original Message----- > From: openvas-discuss-bounces at wald.intevation.org > [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Christian > Eric EDJENGUELE > Sent: Friday, May 22, 2009 4:37 PM > To: openvas-discuss at wald.intevation.org > Subject: Re: [Openvas-discuss] Introducing support for WMI > > > Hello all, > I've successfully used impacket from core security, it is an open source > project but released under a apache-like license. > > > The following protocols are featured in Impacket > * Ethernet, Linux "Cooked" capture. > * IP, TCP, UDP, ICMP, IGMP, ARP. > * NMB and SMB (high-level implementations). > * DCE/RPC versions 4 and 5, over different transports: UDP (version > 4 exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP. > * Multiple ways of doing SMB tree_connect, file open, read, write. > * SMB "fragmentation", SMB AndX command chaining. > * Plain, NT and LM v1 authentications, using password and hashes > only. > * Portions of the following DCE/RPC interfaces: Conv, DCOM, EPM, > SAMR, SvcCtl, WinReg. > * DCERPC Alternate contexts, Multi-bind requests, Endianness > selection > * DCERPC NT and LM v1 authentication, integrity checking and > encryption. > * DCERPC v4 and v5 fragmentation, DCERPC v4 idempotent requests.this > can also be replacement of smb_nt.inc function (and can resolve the bug > 779). > But does it make sense integrate python in OpenVAS ? I think it's time to > build OpenVAS upon a powerful and flexible object-oriented language, python > is good candidate.he _winreg module ( renamed to winreg in Python 3.0. ) > provide windows registry access. > > For your information, I already have all smb related function implemented in > python. > > You can refer to the official web site for more details: > http://www.coresecurity.com/content/open-source-projects#Impacket > > Best. > > > --- > Christian Eric Edjenguele > IT Security Software Developer & Researcher / Business Developer / > Enterprise Software Architect > mobile (IT): +39 3408580513 > > > > ----- Messaggio originale ----- >> Da: "openvas-discuss-request at wald.intevation.org" > >> A: openvas-discuss at wald.intevation.org >> Inviato: Venerd? 22 maggio 2009, 12:00:02 >> Oggetto: Openvas-discuss Digest, Vol 28, Issue 20 >> >> Send Openvas-discuss mailing list submissions to >> openvas-discuss at wald.intevation.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss >> or, via email, send a message with subject or body 'help' to >> openvas-discuss-request at wald.intevation.org >> >> You can reach the person managing the list at >> openvas-discuss-owner at wald.intevation.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Openvas-discuss digest..." >> >> >> Today's Topics: >> >> 1. Re: Updated CR #25 - WMI Implementation (Jan-Oliver Wagner) >> 2. Voting: CR #27 - IPv6 support (Chandrashekhar B) >> 3. Re: Voting: CR #27 - IPv6 support (Michael Wiegand) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Fri, 22 May 2009 09:21:18 +0200 >> From: "Jan-Oliver Wagner" >> Subject: Re: [Openvas-discuss] Updated CR #25 - WMI Implementation >> To: openvas-discuss at wald.intevation.org >> Message-ID: <200905220921.20561.jan-oliver.wagner at intevation.de> >> Content-Type: Text/Plain; charset="iso-8859-1" >> >> On Mittwoch, 20. Mai 2009, Chandrashekhar B wrote: >>> I have updated CR #25 - OpenVAS-libnasl: Introducing support for WMI >>> http://www.openvas.org/openvas-cr-25.html >>> >>> Please review and let me know if you have any questions, feedback. I > would >>> like to put this for voting if there are no comments or concerns. >> In principle, this is a very good approach. >> Unfortuntely the wmi stuff has been removed from Debian: >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523638, >> >> The licensing stuff could cause some trouble to OpenVAS. >> Relying on wmi-client should only be done if its genereally available. >> >> Think we should investigate this aspect further. >> >> Best >> >> Jan >> >> -- >> Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ >> Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B > 18998 >> Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner >> >> >> ------------------------------ >> >> Message: 2 >> Date: Fri, 22 May 2009 13:48:28 +0530 >> From: "Chandrashekhar B" >> Subject: [Openvas-discuss] Voting: CR #27 - IPv6 support >> To: >> Message-ID: >> Content-Type: text/plain; charset="us-ascii" >> >> >> Hello, >> >> The CR #27 is finalized and we would like to now take this for >> implementation. Please vote +1 if we could go for the changes suggested in >> the CR. >> >> Thanks, >> Chandra. >> >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Fri, 22 May 2009 10:19:39 +0200 >> From: Michael Wiegand >> Subject: Re: [Openvas-discuss] Voting: CR #27 - IPv6 support >> To: openvas-discuss at wald.intevation.org >> Message-ID: <20090522081939.GF1641 at intevation.de> >> Content-Type: text/plain; charset="iso-8859-15" >> >> * Chandrashekhar B [22. May 2009]: >>> Hello, >>> >>> The CR #27 is finalized and we would like to now take this for >>> implementation. Please vote +1 if we could go for the changes suggested > in >>> the CR. >> +1. >> >> Regards, >> >> Michael >> >> -- >> Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de >> Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 >> Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: not available >> Type: application/pgp-signature >> Size: 198 bytes >> Desc: not available >> Url : >> > http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090 > 522/f790603e/attachment-0001.pgp >> ------------------------------ >> >> _______________________________________________ >> Openvas-discuss mailing list >> Openvas-discuss at wald.intevation.org >> http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss >> >> >> End of Openvas-discuss Digest, Vol 28, Issue 20 >> *********************************************** > > > > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF -----END PGP PUBLIC KEY BLOCK----- From michael.wiegand at intevation.de Wed May 27 08:34:28 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Wed, 27 May 2009 08:34:28 +0200 Subject: [Openvas-discuss] Formal body of knowledge? In-Reply-To: <0CD851B2-4939-4A89-A42F-CFE53613B3D1@maitreyasecurity.com> References: <0CD851B2-4939-4A89-A42F-CFE53613B3D1@maitreyasecurity.com> Message-ID: <20090527063428.GC22667@intevation.de> * Thomas R. Jones [26. May 2009]: > I have been following the openvas community for some time as a silent > observer. I'd like to know if there is a formal constraint for CR > processing. Seemingly a developer feels as though a particular CR > needs implementation than a he/she initiates a "vote". A project of > such importance and structure should be formally represented and > maintained. This renders this project in a less than professional and > exemplary light----which it deserves. I agree with Thomas. Although the process works as it is, a little more formalization and guidelines surely would not hurt and might lead to a quicker implementation of CRs. There are a few things that are know in the community, but have not been written down yet. Topics I would like to see documented are: - Where should the call for votes be announced? - Who should be able to announce it? - How long should the voting period last? - Should we document who is working on which CR? Thomas, I'm looking forward to suggestions; it might be useful for you (and us) if you could update the section in the compendium (see http://www.openvas.org/compendium/management-of-openvas-change-requests.html) to reflect the status quo. If you have any questions, feel free to ask on the lists or on IRC. As Jan said, keep in mind that the process has to be manageable with the resources at hand. I guess a good strategy would be to take the current process as a starting point. Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090527/c3954da9/attachment.pgp From hans.ullrich at loop.de Wed May 27 13:12:28 2009 From: hans.ullrich at loop.de (Hans-J. Ullrich) Date: Wed, 27 May 2009 13:12:28 +0200 Subject: [Openvas-discuss] Again: Openvas-Client on Zaurus Message-ID: <200905271312.28583.hans.ullrich@loop.de> Hi all, a week ago, I made a suggestion, running openvas-client on a Zaurus. Well, as Jan told, the interface is too big for a resolution on 640x480 (and of course on 320x240, too) Well, I am no coder, but I got the idea, when the interface is using smaller icons, and smaller letter sizes, it might be possible, to get it on such a display. Everything must be made smaller, also the number of pixels for the frames. Doing so, it might be possible, to run openvas-client on a small screen. I do not know, how difficult it is, to change all the sizes of the interface, it was just an idea. Regards Hans -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090527/a3011827/attachment.htm From geoff at galitz.org Wed May 27 13:41:39 2009 From: geoff at galitz.org (Geoff Galitz) Date: Wed, 27 May 2009 13:41:39 +0200 Subject: [Openvas-discuss] Again: Openvas-Client on Zaurus In-Reply-To: <200905271312.28583.hans.ullrich@loop.de> References: <200905271312.28583.hans.ullrich@loop.de> Message-ID: What about using the CLI version of the client? --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/ _____ From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Hans-J. Ullrich Sent: Mittwoch, 27. Mai 2009 13:12 To: openvas-discuss at wald.intevation.org Subject: [Openvas-discuss] Again: Openvas-Client on Zaurus Hi all, a week ago, I made a suggestion, running openvas-client on a Zaurus. Well, as Jan told, the interface is too big for a resolution on 640x480 (and of course on 320x240, too) Well, I am no coder, but I got the idea, when the interface is using smaller icons, and smaller letter sizes, it might be possible, to get it on such a display. Everything must be made smaller, also the number of pixels for the frames. Doing so, it might be possible, to run openvas-client on a small screen. I do not know, how difficult it is, to change all the sizes of the interface, it was just an idea. Regards Hans -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090527/0029612a/attachment.html From geoff at galitz.org Wed May 27 14:02:59 2009 From: geoff at galitz.org (Geoff Galitz) Date: Wed, 27 May 2009 14:02:59 +0200 Subject: [Openvas-discuss] Formal body of knowledge? In-Reply-To: <20090527063428.GC22667@intevation.de> References: <0CD851B2-4939-4A89-A42F-CFE53613B3D1@maitreyasecurity.com> <20090527063428.GC22667@intevation.de> Message-ID: <4F85A33DB56944F7B57E1FD8865BE8C9@geoffPC> I mostly agree with Michael. It seems to me the greatest value comes from the continued documentation of the process. I've only been with the project a short time, but it seems quite functional and open. These are two important items to me. I've seen too many projects, both open source/volunteer and closed source/commercial killed by implementing formal processes. I suppose the issue was that the formal process implementation had been done inappropriately rather than such implementation being inherently bad... but then again we have a saying: "If it ain't broke, don't fix it." Being new, I see value in the current process in being documented, and perhaps we'll find things that need to be fixed now to scale up the project in future (assuming that happens). -geoff --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/ > -----Original Message----- > From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss- > bounces at wald.intevation.org] On Behalf Of Michael Wiegand > Sent: Mittwoch, 27. Mai 2009 08:34 > To: Thomas R. Jones > Cc: openvas-discuss at wald.intevation.org > Subject: Re: [Openvas-discuss] Formal body of knowledge? > > * Thomas R. Jones [26. May 2009]: > > I have been following the openvas community for some time as a silent > > observer. I'd like to know if there is a formal constraint for CR > > processing. Seemingly a developer feels as though a particular CR > > needs implementation than a he/she initiates a "vote". A project of > > such importance and structure should be formally represented and > > maintained. This renders this project in a less than professional and > > exemplary light----which it deserves. > > I agree with Thomas. Although the process works as it is, a little more > formalization and guidelines surely would not hurt and might lead to a > quicker implementation of CRs. > > There are a few things that are know in the community, but have not been > written down yet. Topics I would like to see documented are: > - Where should the call for votes be announced? > - Who should be able to announce it? > - How long should the voting period last? > - Should we document who is working on which CR? > > Thomas, I'm looking forward to suggestions; it might be useful for you > (and us) if you could update the section in the compendium (see > http://www.openvas.org/compendium/management-of-openvas-change- > requests.html) > to reflect the status quo. If you have any questions, feel free to ask > on the lists or on IRC. > > As Jan said, keep in mind that the process has to be manageable with the > resources at hand. I guess a good strategy would be to take the current > process as a starting point. > > Regards, > > Michael > > -- > Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de > Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From Jan-Oliver.Wagner at greenbone.net Wed May 27 14:11:10 2009 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Wed, 27 May 2009 14:11:10 +0200 Subject: [Openvas-discuss] Again: Openvas-Client on Zaurus In-Reply-To: <200905271312.28583.hans.ullrich@loop.de> References: <200905271312.28583.hans.ullrich@loop.de> Message-ID: <200905271411.11972.Jan-Oliver.Wagner@greenbone.net> On Mittwoch, 27. Mai 2009, Hans-J. Ullrich wrote: > Well, I am no coder, but I got the idea, when the interface is using smaller > icons, and smaller letter sizes, it might be possible, to get it on such a > display. Everything must be made smaller, also the number of pixels for the > frames. > > Doing so, it might be possible, to run openvas-client on a small screen. > > I do not know, how difficult it is, to change all the sizes of the interface, > it was just an idea. IIRC, it should be possible to modify the appearance of the GTK application via some GTK basic configuration. Or was this for GNOME only? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 202460 Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From Jan-Oliver.Wagner at greenbone.net Wed May 27 15:19:28 2009 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Wed, 27 May 2009 15:19:28 +0200 Subject: [Openvas-discuss] OpenVAS DevCon: Invited Talk? Message-ID: <200905271519.29975.Jan-Oliver.Wagner@greenbone.net> Hello, unfortunately neither nmap people nor Metasplot people are able to join our devcon. Alternative ideas are welcome. However, not having a invited talk would not lower the value of the results surely achieve with the DevCon. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 202460 Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From jonas at andradas.es Wed May 27 17:12:27 2009 From: jonas at andradas.es (Jonas Andradas) Date: Wed, 27 May 2009 17:12:27 +0200 Subject: [Openvas-discuss] OpenVAS DevCon: Invited Talk? In-Reply-To: <200905271519.29975.Jan-Oliver.Wagner@greenbone.net> References: <200905271519.29975.Jan-Oliver.Wagner@greenbone.net> Message-ID: Hello Jan, On Wed, May 27, 2009 at 3:19 PM, Jan-Oliver Wagner < Jan-Oliver.Wagner at greenbone.net> wrote: > Hello, > > unfortunately neither nmap people nor Metasplot people > are able to join our devcon. > Alternative ideas are welcome. > However, not having a invited talk would not lower the > value of the results surely achieve with the DevCon. > > Best > > Jan > > -- > Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ > Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, > HR B 202460 > Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss > What about trying to invite people from OSSIM? Would that maybe facilitate the integration of OpenVAS results in OSSIM? I know some work has been done in this direction. Maybe there is not much to do, so this is only a suggestion. What do you think? Best Regards, Jon?s Andradas. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090527/ad6f76d8/attachment-0001.html From Jan-Oliver.Wagner at greenbone.net Wed May 27 20:43:28 2009 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Wed, 27 May 2009 20:43:28 +0200 Subject: [Openvas-discuss] OpenVAS DevCon: Invited Talk? In-Reply-To: References: <200905271519.29975.Jan-Oliver.Wagner@greenbone.net> Message-ID: <200905272043.28885.Jan-Oliver.Wagner@greenbone.net> Hello Jonas, On Wednesday 27 May 2009 17:12:27 Jonas Andradas wrote: > What about trying to invite people from OSSIM? Would that maybe facilitate > the integration of OpenVAS results in OSSIM? I know some work has been done > in this direction. Maybe there is not much to do, so this is only a > suggestion. What do you think? Good idea. Whom do you have in mind? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck AG Osnabr?ck, HR B 202460 | Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From jtomforde at live.com Tue May 26 19:27:53 2009 From: jtomforde at live.com (Jason Tomforde) Date: Tue, 26 May 2009 13:27:53 -0400 Subject: [Openvas-discuss] CR#27 - IPv6 Support Message-ID: +1 Thanks, Jason. _________________________________________________________________ Hotmail? goes with you. http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=TXT_TAGLM_WL_HM_Tutorial_Mobile1_052009 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090526/bbeb0ed0/attachment.htm From love.wadhwa at naukri.com Fri May 29 13:55:32 2009 From: love.wadhwa at naukri.com (lovewadhwa) Date: Fri, 29 May 2009 17:25:32 +0530 Subject: [Openvas-discuss] error Message-ID: <1243598132.6516.8.camel@love-laptop> Hi all m using openvas-client 2.0.3 to connect to my openvas server but getting the following error: Error: Invalid PLUGIN_INFO response from server Error: Error while updating the cached plugin information Error: Login failed I have no clue why this error is occuring.I had earlier some successful connections to my server and then it suddenly started giving errors. Please help. From Jan-Oliver.Wagner at greenbone.net Fri May 29 14:05:20 2009 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Fri, 29 May 2009 14:05:20 +0200 Subject: [Openvas-discuss] error In-Reply-To: <1243598132.6516.8.camel@love-laptop> References: <1243598132.6516.8.camel@love-laptop> Message-ID: <200905291405.22344.Jan-Oliver.Wagner@greenbone.net> On Freitag, 29. Mai 2009, lovewadhwa wrote: > m using openvas-client 2.0.3 to connect to my openvas server but getting > the following error: > > Error: Invalid PLUGIN_INFO response from server > Error: Error while updating the cached plugin information > Error: Login failed > > > I have no clue why this error is occuring.I had earlier some successful > connections to my server and then it suddenly started giving errors. when did you last time sync with the OpenVAS NVT Feed? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 202460 Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From Jan-Oliver.Wagner at greenbone.net Fri May 29 14:10:47 2009 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Fri, 29 May 2009 14:10:47 +0200 Subject: [Openvas-discuss] error In-Reply-To: <200905291405.22344.Jan-Oliver.Wagner@greenbone.net> References: <1243598132.6516.8.camel@love-laptop> <200905291405.22344.Jan-Oliver.Wagner@greenbone.net> Message-ID: <200905291410.49010.Jan-Oliver.Wagner@greenbone.net> On Freitag, 29. Mai 2009, Jan-Oliver Wagner wrote: > On Freitag, 29. Mai 2009, lovewadhwa wrote: > > m using openvas-client 2.0.3 to connect to my openvas server but getting > > the following error: > > > > Error: Invalid PLUGIN_INFO response from server > > Error: Error while updating the cached plugin information > > Error: Login failed > > > > > > I have no clue why this error is occuring.I had earlier some successful > > connections to my server and then it suddenly started giving errors. in case you compiled the client yourself, you may apply this patch to find out more: Index: nessus/comm.c =================================================================== --- nessus/comm.c (Revision 3507) +++ nessus/comm.c (Arbeitskopie) @@ -1334,6 +1334,7 @@ /* plugin information could not be parsed. Looks like a server * error */ show_error(_("Invalid PLUGIN_INFO response from server")); +fprintf(stderr,"PLUGIN_INFO parse error on this line:%s", buf); return -1; } } Probably we should write the details to log file always. Laban? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 202460 Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From jsimmons at goblin.punk.net Sat May 30 15:55:24 2009 From: jsimmons at goblin.punk.net (Jeff Simmons) Date: Sat, 30 May 2009 06:55:24 -0700 Subject: [Openvas-discuss] CPPFLAGS problem - Mac OS X Message-ID: <200905300655.24083.jsimmons@goblin.punk.net> Trying to compile openvas (specifically openvas-libraries-2.0.2) on a Mac (10.5.8) using Mac Ports to add necessary libraries. Mac Ports puts files into /opt/local/include and /opt/local/lib, so I should need something like: LDFLAGS=-L/opt/local/lib CPPFLAGS=-l/opt/local/include The CPPFLAGS environmental variable crashes the ./configure script with the message: "C compiler cannot create executables". Without it, make can't find the necessary header files (specifically for gnutls). Anyone have any suggestions on this? -- Jeff Simmons jsimmons at goblin.punk.net Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult From hans.ullrich at loop.de Sat May 30 16:26:15 2009 From: hans.ullrich at loop.de (Hans-J. Ullrich) Date: Sat, 30 May 2009 16:26:15 +0200 Subject: [Openvas-discuss] Please confirm md5sum Message-ID: <200905301626.16425.hans.ullrich@loop.de> Dear maintainers, I synced all the plugins using openvas-nvt-sync and it is telling me, md5sum is not o.k. I suppose, the tranmission was o.k. (as I synced several times!), so might it be, that the source of md5sum on your server is wrong? It would be nice, if you could check this and deny or confirm this. Thank you very much! best regards Hans-J. Ullrich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090530/8e765ced/attachment.html From mime at gmx.de Sat May 30 17:44:26 2009 From: mime at gmx.de (Michael Meyer) Date: Sat, 30 May 2009 17:44:26 +0200 Subject: [Openvas-discuss] Please confirm md5sum In-Reply-To: <200905301626.16425.hans.ullrich@loop.de> References: <200905301626.16425.hans.ullrich@loop.de> Message-ID: <20090530154426.GA4433@m2.homelinux.org> Hello Hans, *** Hans-J. Ullrich wrote: > I synced all the plugins using openvas-nvt-sync and it is telling me, md5sum > is not o.k. > > I suppose, the tranmission was o.k. (as I synced several times!), so might it > be, that the source of md5sum on your server is wrong? It would be nice, if > you could check this and deny or confirm this. Confirm. ;-) md5sum of the file 'md5sums' is not ok. ,---| | mime at kira:/opt/openvas-2.0.1/lib/openvas/plugins % md5sum -c md5sums | grep -iv ok | md5sums: FAILED | md5sum: WARNING: 1 of 22717 computed checksums did NOT match `---| Not sure whether someone is around untill Tuesday to fix that. Micha From hans.ullrich at loop.de Sat May 30 17:49:52 2009 From: hans.ullrich at loop.de (Hans-J. Ullrich) Date: Sat, 30 May 2009 17:49:52 +0200 Subject: [Openvas-discuss] Please confirm md5sum In-Reply-To: <20090530154426.GA4433@m2.homelinux.org> References: <200905301626.16425.hans.ullrich@loop.de> <20090530154426.GA4433@m2.homelinux.org> Message-ID: <200905301749.52509.hans.ullrich@loop.de> Am Samstag 30 Mai 2009 schrieb Michael Meyer: > Hello Hans, > > *** Hans-J. Ullrich wrote: > > I synced all the plugins using openvas-nvt-sync and it is telling me, > > md5sum is not o.k. > > > > I suppose, the tranmission was o.k. (as I synced several times!), so > > might it be, that the source of md5sum on your server is wrong? It would > > be nice, if you could check this and deny or confirm this. > > Confirm. ;-) md5sum of the file 'md5sums' is not ok. > > ,---| > > | mime at kira:/opt/openvas-2.0.1/lib/openvas/plugins % md5sum -c md5sums | > | grep -iv ok md5sums: FAILED > | md5sum: WARNING: 1 of 22717 computed checksums did NOT match > > `---| > > Not sure whether someone is around untill Tuesday to fix that. > > Micha > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Hi Michael, thanks for the info! I additionally found no package, which might cause the fault. So everyone can use it without any fear of security holes or crash. Nice to know! Thanks for the info again. Cheers Hans -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20090530/add644a9/attachment.htm