[Openvas-discuss] Detecting vulnerabilities in non-packaged Software!

Jan Muhammad janmuhd at yahoo.com
Fri Aug 5 14:06:35 CEST 2011

Hi Group,

For about a year or so I have been using Nessus 
vulnerability scanner (though closed source now ); am trying to switch to OpenVAS or OpenScap(http://www.open-scap.org/page/Main_Page) along with Pakiti (http://pakiti.sourceforge.net/) for patch status monitoring. 

I have configured and tested OpenVAS on 2-3 nodes where I can run scans and get reports. Also, I have tested Pakiti (where my Server fetches latest security updates from remote Ubuntu/Fedora based repositories for  these nodes); and clients report to server with the list of their installed packages. 

Now, I am really finding it hard to decide on the following issue:

What about all of the software, which has been copied onto 
systems in non-package form such as Apache Tomcat servers and the 
numerous JAR files used? This information isn't in the package database 
because it wasn't “installed” but just copied. For example, it may be 
possible through the use of a port scanning software e.g. (openVAS) to detect and 
identify the Tomcat instances — provided they are running and are 
accessible via the network being scanned. 

Is there any possibility to check for vulnerable software (as those in above examples) with any tool? 

Any thoughts and/or documentation (links) etc are very much appreciated.

Thanks in advance for help.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20110805/1f3e3990/attachment.html>

More information about the Openvas-discuss mailing list