Wednesday, December 08, 2004

Nessus Developments

Recently I reviewed the new Syngress Nessus book, after installing Nessus 2.2 using the security/nessus FreeBSD port. Yesterday Tenable Network Security relaunched the Nessus home page. The author of the Nessus vulnerability scanner is Renaud Deraison, who co-founded Tenable and currently serves as Chief Research Officer there. Tenable formally supports the development of Nessus.

Along with a sharp new Web design and the release of Nessus 2.2.1, the site announced a new policy on plug-ins. Plug-ins are code written in the Nessus Attack Scripting Language (NASL) which perform vulnerability checks. Tenable is offering three feeds for Nessus plug-ins:

  • The Direct Feed "is commercially available [and] entitles subscribers to the latest vulnerability checks," immediately. It costs $1200 per scanner per year.

  • The Registered Feed "is available for free to the general public, but new plugins are added seven days after they are added to the Direct Feed." Registration and conformance with the plug-in license is required.

  • The GPL Feed "does not require registration, and includes plugins written by the user community. As manager of the Nessus project, Tenable continues to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and Public feeds at the same time."

The last feed description mentioned NeWT, which is a Windows-based Nessus server. NeWT is available free of charge, but users can only scan their local subnet. NeWT Pro is a commercial product without limitations. The original Nessus UNIX server remains open source. Tenable also sells the NeVO passive vulnerability monitor, the Lightning ESM console, and the Thunder secure log aggregation and analysis product.
I have no problem with this new arrangement. Tenable offers two core Nessus products. First, there is the vulnerability scanning engine, which has several flavors. Tenable is paying for core developers to maintain and improve the original Nessus UNIX server and clients. They are selling a commercial version that runs on Windows, and offer for free a subnet-limited version that runs on Windows as well. The second product are NASL scripts. Tenable pays full-time salaries for developers to create these scripts.

Consider an alternative approach taken by a similar industry: anti-virus vendors. A company like Symantec sells both its scanning engine and signatures in closed-source form. They do this because the manpower required to create both products is considerable.

Tenable is still making a completely workable Nessus solution (UNIX Nessus server, clients, and signatures) available in open source form. The only change is that NASL scripts developed in-house by Tenable will be available to non-paying users seven days after paying customers receive them. If the NASL scripts developed by the open source community and released under the GPL are so much better than those Tenable creates, those NASL scripts will be immediately available. I would be surprised to see community-developed scripts surpass Tenable's however.
Sourcefire is a company in a similar situation. They and founder Marty Roesch were just featured in a Business Week article. Sourcefire pays developers to work on Snort and its signatures. Sourcefire then sells hardware appliances running Snort, along with an enterprise administration console. Sourcefire's greatest value lies in its RNA product, which provides context for its sensor.

I am surprised Sourcefire makes its signatures available free-of-charge. I would have no problem seeing them adopt a strategy similar to Tenable's. You can judge the effectiveness of one aspect of the open source community's Snort rule creation process by trying the signatures at

No comments: