Mailing List Archive

On Sat, Jul 20, 2002 at 04:40:10PM -0400, sullo wrote:
> - (Start of a) change proposal -
> *Leave As-Is:
> Denial of Service
> FTP
> General
> Port scanners
> RPC
> Settings
> SMTP (drop "problems" from name)
> SNMP
> Untested
> Windows
> Windows : User management
> Firewalls
>
> *Create:
> Remote Shell
> Routers
> Service Info
> Web
>
> *Remove:
> Backdoors (move to Service Info or Remote Shell)

Nah, keep this one. The plugins in it are usually very slow, and in some
cases you really know that's not needed (ie: when scanning a freshly
installed computer).

I also think "Web" should/could be split in at least two families.
What about:

Web: reading of arbitrary files
Web: execution of arbitrary commands

(and we could even have
Web: Server flaws (as opposed to flaws in CGIs))



There is also the problem of a plugin that checks for a flaw in FTP
which gives a remote shell - in which family should that be ?

Lionel Cons suggested a while ago to change the families to keywords.
That would help the sorting of plugins. A plugin testing for an overflow
in a FTP server would have the keywords { "FTP", "Remote Shell" }. Then
the user would be able to view the plugins the way he wants to.


-- Renaud

"sullo" <sullo@cirt.net> writes:

> I disagree. I think there should be only as many as necessary,
> without being *too* general--but I don't want 100 families either!

IMHO, families should be used to quickly select or find plugins.
The way the GUI is made, the "optimal" configuration would be ~ 30
families with 30 plugins within each.
Anyway, I seriously doubt that we can achieve this!

Currently, families are defined according to:
- The tested service (e.g. FTP)
- What the effects are (root the box, DoS, and in a way "Settings")
- How the pluging is defined inside Nessus (Settings)
- The status of the plugin (Untested)

If we do not change the system (e.g. keywords, as Renaud wrote), we'll
have to find something intuitive & user friendly rather than logical.

> SMTP (drop "problems" from name)

OK

> Windows
> Windows : User management

Why two?

> *Remove:
> Backdoors (move to Service Info or Remote Shell)

I'd prefer to keep it. That's a well defined family.

> NIS (move bootparamd.nasl to RPC, nis_server.nasl to General)

OK, but I'd put nis_server to RPC too.

> Useless service (move most to Service Info)

Why remove this?

---------------------------------

Here is a proposition: we could define some high level families, and
add more precise families when they are too many plugins in them.
e.g. (names are not great):

Settings
Untested
Information gathering ( would include Port scanners & a couple of
Useless services ?)

Basic OS services
File sharing (?)
FTP
RPC, RMI & RCMD
SMB, NetBIOS & M$
SNMP
WWW
WWW access control violation
WWW code execution (= r00t the box)
IIS API abuse
OS denial of service (= land, ping o' death etc + DoS in basic software?!)

External softwares
Misc. DoS
Backdoors

Network devices
Routers
CISCO (why not after all?)
Firewalls

On Sun, Jul 21, 2002 at 12:30:09PM +0200, Michel Arboi wrote:
> > Windows
> > Windows : User management
>
> Why two?


That's not sufficient. That should be at least four. Windows checks are
extremely broad.

("Windows: Registry permissions", "Windows: Hotfixes", "Windows: Shares"
and "Windows: User management").



-- Renaud

How we use Nessus, having too granular families doesn't help
much, i.e. CISCO as a category to me is the same as having
Routers--just an easy way to disable unneeded checks on 99% of
scans. But I can see where that would be helpful to many
people...but since there aren't that many router checks overall...

Colin's idea of keywords is great, but it would require code change
to make it work right (?). Can we start defining them such that
they'll be ignored in the current version but used later? Also, how
complex will it make things--I still would rather not see 100+
families... Maybe the GUI has a familiy view AND a cross
referenced view (via a checkbox or something)? Very good idea
though--better than what I'm thinking here :)

Renaud wrote:
>Web: reading of arbitrary files
>Web: execution of arbitrary commands
>(and we could even have
>Web: Server flaws (as opposed to flaws in CGIs))

How granular do you see families? If I want to turn on/off web, two
families should be enough, and reading files/execution should *
always* be either CGI or server...? Would people really turn off
execution checks but leave the other two on?

Michel wrote:
> External softwares
> IIS API abuse
> File sharing

I don't think I'm sure what you mean with these... "File Sharing "is
NFS or M$ stuff or both?

Here's what I *think* we may be, changed via your ideas:
*Redefined Categories:
Backdoors
Denial of Service (Network)
Denial of Service (System)
Firewalls/Proxies
FTP
General
Information Gathering
Remote Shell
Routers
RPC/RMI/RCMD
Service Info
Settings
SMTP
SMB/NetBIOS
SNMP
Untested
Windows: Hotfixes
Windows: Registry
Windows: Shares
Windows: Users
WWW CGI
WWW Server

*Removes:
CGI abuses (move to Web)
CISCO (move to Routers)
Finger abuses (move to Service Info, Remote Shell or appropriate)
Gain a shell remotely (move to Remote Shell)
Gain root remotely (move to Remote Shell)
Misc. (move to General or elsewhere)
NIS (move to RPC)
Useless service (move most to Service Info)
Port Scanners (move to Information Gathering)
Remote file access (most to variou WWW)

I think keywords is a better idea though.

-Sullo

___________________________________________________
http://www.cirt.net/
Home of Nikto