Sunday, June 26, 2005

Trying Nessus Registered Feed

I described installing Nessus earlier , and last year I talked about the new Nessus license system. Since I was installing Nessus on a server strictly for scanning my own lab network, I decided to see what was involved with obtaining the Tenable Security Registered Feed.

When I first installed Nessus, I received this warning:

Loading the plugins... 204 (out of 2225)
------------------------------------------------------------------------------
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, your security audits might produce incomplete
results.

To obtain a full plugin feed, you need to register your Nessus scanner
at the following URL :

http://www.nessus.org/register/

I manually checked the contents of the /usr/local/lib/nessus/plugins directory just after installing the security/nessus-plugins FreeBSD package to count the number of NASL scripts. There were indeed 2225.

Next I ran /usr/local/sbin/nessus-update-plugins on my Nessus server to see if it would retrieve any additional plugins, without registering. It did.

nessus-update-plugins -v
x ./
x ./12planet_chat_server_xss.nasl
x ./3com_nbx_voip_netset_detection.nasl
x ./3com_switches.nasl
x ./404_path_disclosure.nasl
x ./4553.nasl
...edited...
x ./zyxel_http_pwd.nasl
x ./zyxel_pwd.nasl
ls /usr/local/lib/nessus/plugins | wc -l
2301

I registered for the Registered Feed and made note of this provision of the license:

"This Agreement permits you to use the Plugins to detect vulnerabilities only on your system or network. If you intend to use the Plugins to detect vulnerabilities on the systems or networks belonging to third parties (eg: if you are a consultant or a Managed Security Services Provider) then click here for the consultants and MSSPs license agreement."

A look at the consultant and MSSP license on the referenced page revealed a section important to me:

"Tenable grants to you a...license...(i) to download the Plugins made available to you through the Registered Plugin Feed during the term of this Agreement and (ii) to use the Plugins in conjunction with Registered Scanners obtained directly from www.nessus.org or www.tenablesecurity.com to detect vulnerabilities only on your system or network or on the system or network of a third party for which you perform scanning services, auditing services, incident response servers, vulnerability assessment services or other security consulting services. You may only use the Plugins in conjunction with the number of Registered Scanners for which you have obtained directly from www.nessus.org or www.tenablesecurity.com and paid the applicable annual subscription fee."

This means that security consultants using Nessus must pay an annual $1200 fee to access the Direct Fee. Free use of the Tenable plugins is only allowed on one's own network. The rationale behind this approach was explained in this nessus mailing list thread from January 2005. Anyone with questions about that should read the FAQ.

After I registered I received a code via email. I ran nesuss-fetch to activate my account and then the update script.

janney:/root# nessus-fetch --register codegoeshere
Your activation code has been registered properly - thank you.
janney:/root# nessus-update-plugins -v
x ./
x ./04webserver.nasl
x ./12planet_chat_server_path_disclosure.nasl
x ./12planet_chat_server_plaintext_password.nasl
...edited...
x ./zyxel_http_pwd.nasl
x ./zyxel_pwd.nasl
janney:/root# ls /usr/local/lib/nessus/plugins | wc -l
8164

That's quite a difference! Should any clients approach me to perform vulnerability assessment services, I will order the Direct Feed if I plan to use Nessus.

No comments: