[Openvas-discuss] Detecting vulnerabilities in non-packaged Software!
janmuhd at yahoo.com
Fri Aug 5 14:06:35 CEST 2011
For about a year or so I have been using Nessus
vulnerability scanner (though closed source now ); am trying to switch to OpenVAS or OpenScap(http://www.open-scap.org/page/Main_Page) along with Pakiti (http://pakiti.sourceforge.net/) for patch status monitoring.
I have configured and tested OpenVAS on 2-3 nodes where I can run scans and get reports. Also, I have tested Pakiti (where my Server fetches latest security updates from remote Ubuntu/Fedora based repositories for these nodes); and clients report to server with the list of their installed packages.
Now, I am really finding it hard to decide on the following issue:
What about all of the software, which has been copied onto
systems in non-package form such as Apache Tomcat servers and the
numerous JAR files used? This information isn't in the package database
because it wasn't “installed” but just copied. For example, it may be
possible through the use of a port scanning software e.g. (openVAS) to detect and
identify the Tomcat instances — provided they are running and are
accessible via the network being scanned.
Is there any possibility to check for vulnerable software (as those in above examples) with any tool?
Any thoughts and/or documentation (links) etc are very much appreciated.
Thanks in advance for help.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openvas-discuss