Mailing List Archive: Self GUI

Self GUI

Apr 6, 2005, 8:16 AM

Post #1 of 3 (346 views)

Hi,

i'm a newbye in security and i'm trying to develop a plattform for IDS
Evaluation. It would be a GUI where you can choose between using nessus
to attack or send to the net a previously captured data in tcpdump
format. Respecting to nessus, i've several questions around it:

- is it possible to create an independent gui and call plugins located
in the nessusd server?

- all the traffic generated by nessus is malicious? i mean, is there any
"good" packet during an attack?

- if i write my program in C++, how could i call nasl plugins to perform
an attack against an IDS?

Thanks a lot,

David

Re: Self GUI [ In reply to ]

theall at tenablesecurity

Apr 6, 2005, 5:35 PM

Post #2 of 3 (342 views)

Permalink

On Wed, Apr 06, 2005 at 05:16:19PM +0200, David wrote:

> - is it possible to create an independent gui and call
> plugins located in the nessusd server?

Some of the plugins can be run from a commandline using the
nasl interpreter. Many, though, require access to KB
entries, which the commandline nasl tool doesn't support.
[.Note: Pavel Kankovsky posted some patches to nessus-devel
about a year ago to support that. I never used them myself
and don't know if they will work with the current version.]

> - all the traffic generated by nessus is malicious? i mean
> , is there any "good" packet during an attack?

Is sending "GET /" to a web server malicious? Many plugins
rely on such requests to check for banners of vulnerable
software.

Others login into remote hosts using accounts that have been
set up by administrators for the purpose of collecting
information locally (eg, running "rpm -qa" on a RedHat
system). Is such traffic malicious?

The answer is not as simple as you'd like it to be, I
suspect.

George

--
theall@tenablesecurity.com

Re: Self GUI [ In reply to ]

nick.hristov at gmail

Apr 8, 2005, 5:12 AM

Post #3 of 3 (341 views)

Permalink

David, hello.

Is this going to be a GPL based app? If it isn't, you may have trouble
communicating w/ the nessus server without looking at the GPLd nessus
code.

> > - is it possible to create an independent gui and call
> > plugins located in the nessusd server?

It is. See "Nessus Transfer Protocol". I suggest you get acquainted
with the OpenSSL library as well.

> > - all the traffic generated by nessus is malicious? i mean
> > , is there any "good" packet during an attack?

As George already answered, not all traffic is considered malicious.
There really is no good clasification, however, you can probably say
that plugins which are classified as ACT_DESTRUCTIVE or ACT_KILL_HOST
or ACT_DENIAL are probably going to send something unpleasant down the
wire. However, often some of these plugins work in two modes,
depending on whether safe checks is enabled (i.e. either grab banners,
or send "less" malicious traffic).

I have not looked at the code of libnasl, but I bet that it is in C.
This should not pose any big hurdles for you to link against with C++,
though. Once again, if you do use libnasl, you will have to have your
app licensed under the GPL (this does NOT mean that you HAVE to
release it to the public, see the license for details).

Hope this helps.

Nick