[.I'm trying to stick to the "newsletter" format for the new releases,
that should be more friendly than a changelog :]
1. Nessus 2.0.10 is available
-----------------------------
Nessus 2.0.10 should be the last 2.0.x version of Nessus, as all the effort
will now be focused on the 2.1.x branch.
Here is what is new in 2.0.10. Note that if you run nessus-update-plugins
regularly (as you should), then you are probably already using these
enhancements.
o Service version fingerprinting
Perhaps the biggest new feature in Nessus 2.0.10 is the extensive use which
is made of the fingerprinting plugins - plugins which can recognize the
name and version of the remote service, even if its banner has been changed.
While fingerprinting is hardly new, we now use it extensively (especially
for web servers), by avoiding to make "useless" checks - for instance,
Nessus won't look for buggy php scripts on a web server which is known
to not support PHP at all. This results in faster checks and less false
positives.
I would like to thank everyone who submitted services signatures - please
keep them coming !
o Distros doing "backports" of their patches
A real nuisance for Nessus users out there are distros which "backport"
security fixes (ie: a flaw is discovered in OpenSSH 3.6, and instead
of updating their version of OpenSSH to 3.7, the distro maintainers
commit the fixes in their 3.6 tree, which makes Nessus think that the server
has not been patched).
Laurent FACQ came up with a very elegant solution for this, which
relies on the fact that every vendor puts some kind of tag next to the
version of the service.
Nessus should not false positive any more against AltLinux, Apple's MacOSX,
Debian, FreeBSD and IBM's Apache. I'm in discussion with other distros to
make them include some tag which would help Nessus determine if a service
has been patched at all, hopefully they will accept and appear on this list.
Here is the full 2.0.10 changelog :
. changes by Michel Arboi (mikhail@nessus.org)
- WWW fingerprinting
- Partially fixed hydra.nes
. changes by (galt@fiberpimp.net)
- IP addresses are now sorted in EVERY reports
. changes by Laurent FACQ (facq@u-bordeaux.fr)
- Automagically rewrite banners to handle distributions which do
backporting of security fixes (ie: Debian)
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Fixed MacOS X portability issues
- Non-intrusive OS-fingerprinting (based on xprobe's techniques)
- DNS fingerprinting
- killall -1 nessusd does not restart the bpf server on BSD systems
- longer connect() timeout for TCP sockets
- Fixed hydra.nes
Download Nessus 2.0.10 now at <http://www.nessus.org/download.html>
2. Nessus nominated "best open source product of 2003" by PC Magazine
----------------------------------------------------------------------
PC Magazine nominated Nessus as being one of the three "best open source
product" of 2003 :
<http://www.pcmag.com/article2/0,4149,1420870,00.asp>
This allowed me to discover that PCMag actually did a review of Nessus against
other scanners, and Nessus was pinned down for not having good reporting
features (which is a little expected - Nessus is a *SCANNER*. It produces
data, not beautify it).
According to the review, they were impressed by Nessus's ease of installation.
That's the advantage of limiting dependencies to third parties libraries -
you don't force the user to go "library fishing" for a whole day before
they can install it.
3. Nessus 2.2 GUI
-----------------
For Nessus 2.2, I have decided to re-write the current GTK client from
scratch, so I am running a quick poll.
Do you prefer a GUI in :
[ ] GTK 2.0
[ ] Qt
I'd rather warn you that I am very down on GTK at this time - these guys
keep breaking their own API between major versions, which makes my life
very difficult to keep everyone happy. Another issue is that if you want
to install GTK 2.0, you now have to install a boatload of annex libraries,
like pango and other stuff which is updated every day or so.
Qt on the other hand as a very stable and clean API, however it
requires C++ (which tends to be present where gcc is, but I know of some
systems which are still C-only).
So I'd like to have the input of as many of you as possible to determine
where the GUI thing is going.
4. Nessus.org RSS feeds
-----------------------
If you are an RSS addict, then you should know that all the newest
Nessus plugins are now available as an RSS feed :
<http://www.nessus.org/rss.php>
If you don't know what RSS is, read :
<http://www.webreference.com/authoring/languages/xml/rss/intro/>
That's all for today - take care !
-- Renaud
that should be more friendly than a changelog :]
1. Nessus 2.0.10 is available
-----------------------------
Nessus 2.0.10 should be the last 2.0.x version of Nessus, as all the effort
will now be focused on the 2.1.x branch.
Here is what is new in 2.0.10. Note that if you run nessus-update-plugins
regularly (as you should), then you are probably already using these
enhancements.
o Service version fingerprinting
Perhaps the biggest new feature in Nessus 2.0.10 is the extensive use which
is made of the fingerprinting plugins - plugins which can recognize the
name and version of the remote service, even if its banner has been changed.
While fingerprinting is hardly new, we now use it extensively (especially
for web servers), by avoiding to make "useless" checks - for instance,
Nessus won't look for buggy php scripts on a web server which is known
to not support PHP at all. This results in faster checks and less false
positives.
I would like to thank everyone who submitted services signatures - please
keep them coming !
o Distros doing "backports" of their patches
A real nuisance for Nessus users out there are distros which "backport"
security fixes (ie: a flaw is discovered in OpenSSH 3.6, and instead
of updating their version of OpenSSH to 3.7, the distro maintainers
commit the fixes in their 3.6 tree, which makes Nessus think that the server
has not been patched).
Laurent FACQ came up with a very elegant solution for this, which
relies on the fact that every vendor puts some kind of tag next to the
version of the service.
Nessus should not false positive any more against AltLinux, Apple's MacOSX,
Debian, FreeBSD and IBM's Apache. I'm in discussion with other distros to
make them include some tag which would help Nessus determine if a service
has been patched at all, hopefully they will accept and appear on this list.
Here is the full 2.0.10 changelog :
. changes by Michel Arboi (mikhail@nessus.org)
- WWW fingerprinting
- Partially fixed hydra.nes
. changes by (galt@fiberpimp.net)
- IP addresses are now sorted in EVERY reports
. changes by Laurent FACQ (facq@u-bordeaux.fr)
- Automagically rewrite banners to handle distributions which do
backporting of security fixes (ie: Debian)
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Fixed MacOS X portability issues
- Non-intrusive OS-fingerprinting (based on xprobe's techniques)
- DNS fingerprinting
- killall -1 nessusd does not restart the bpf server on BSD systems
- longer connect() timeout for TCP sockets
- Fixed hydra.nes
Download Nessus 2.0.10 now at <http://www.nessus.org/download.html>
2. Nessus nominated "best open source product of 2003" by PC Magazine
----------------------------------------------------------------------
PC Magazine nominated Nessus as being one of the three "best open source
product" of 2003 :
<http://www.pcmag.com/article2/0,4149,1420870,00.asp>
This allowed me to discover that PCMag actually did a review of Nessus against
other scanners, and Nessus was pinned down for not having good reporting
features (which is a little expected - Nessus is a *SCANNER*. It produces
data, not beautify it).
According to the review, they were impressed by Nessus's ease of installation.
That's the advantage of limiting dependencies to third parties libraries -
you don't force the user to go "library fishing" for a whole day before
they can install it.
3. Nessus 2.2 GUI
-----------------
For Nessus 2.2, I have decided to re-write the current GTK client from
scratch, so I am running a quick poll.
Do you prefer a GUI in :
[ ] GTK 2.0
[ ] Qt
I'd rather warn you that I am very down on GTK at this time - these guys
keep breaking their own API between major versions, which makes my life
very difficult to keep everyone happy. Another issue is that if you want
to install GTK 2.0, you now have to install a boatload of annex libraries,
like pango and other stuff which is updated every day or so.
Qt on the other hand as a very stable and clean API, however it
requires C++ (which tends to be present where gcc is, but I know of some
systems which are still C-only).
So I'd like to have the input of as many of you as possible to determine
where the GUI thing is going.
4. Nessus.org RSS feeds
-----------------------
If you are an RSS addict, then you should know that all the newest
Nessus plugins are now available as an RSS feed :
<http://www.nessus.org/rss.php>
If you don't know what RSS is, read :
<http://www.webreference.com/authoring/languages/xml/rss/intro/>
That's all for today - take care !
-- Renaud