Re: building a nessus community - by and for users (request)

[Matt Jonkman <matt () infotex com>]

Gadi Evron wrote:
> Hello Matt.
>
> There is currently an on-going semi-discussion almost flame on the
> dailydave mailing list about nessus.

Wasn't a member of the list, but am joining now. Thanks for bringing 
this to my attention Gadi.

> I wonder, would it be possible to incorporate into bleeding snort a
> similar project for nessus, in order to build a user-maintained
> community and encourage people to learn NASL and code plugins? Maybe the
> same people who build snort signatures with the same knowledge,
> currently, for bleeding snort?
>
> I'd appreciate you joining the discussion and presenting how such a
> thing might work, so that both the people at tenable and others can see
> the options.

The idea has been thrown around before, and thrown into my court several 
times now by different folks.

I'm not averse to a new community branch within bleeding snort. We have 
the technical resources, bandwidth, etc. But lack the admin staff 
interest and experienced nasl coders as far as I've seen.

I base that statement on a couple of ventures we've tried. The most 
recent being the bleeding-spyware project. For those not familiar, about 
6 months ago we tried to start a project where we'd identify spyware 
through the normal means, and write at the same time nasl to detect it 
remotely, and snort sigs to detect it via the network traffic generated. 
Our goal was to avoid duplicating efforts in each field, and increasing 
the number of packages detected by both.

Renaud did some great work for us making a few libs for nasl to do 
direct remote registry dips to find keys of spyware. Things were all set 
to have a great project. We had around 50 folks volunteer and join the 
lists to write snort sigs and help identify spyware.

But unfortunately after much pleading and a good deal of time we 
couldn't find a single experienced nasl coder willing to be co-chair of 
the project, and without that we were just making snort sigs 
unfortunately. Maybe one day we'll be able to revive that project (and 
maybe with a wider focus than spyware). But for now it's dead for lack 
of experience in nasl.

I'll try to tie up my rambling shortly, but the point of that story was 
that we do need a nasl-encouraging community. But I ain't the guy that 
knows it, thus I'm not the guy to start teaching it. :)

I would be very interested in a community such as that, but don't see a 
need for a new plugin feed. Renaud does incredible pro-bono work on the 
plugin feed, and *I'm* not aware of there ever being an issue where a 
plugin was not released for personal or opinion reasons that was submitted.

Bleeding Snort has succeeded because it was the right time, right place, 
and there is an abundance of snort expertise out there and a lot of 
folks that have been incredibly generous with their time, many with 
direct support of their employers to do so. If a nessus community were 
to be feasible it would need those things.

So, I'd be happy to start a fork of bleeding snort and provide the 
resources to make a nessus community (maybe make bleeding snort and this 
project work together, sharing info on exploits, etc?) if the following 
things were possible:

1. The community could muster at least a few nasl experts with time to 
contribute

2. At least initially any plugins written by the community could just be 
redistributed via Renaud, but maybe maintained on the community project 
(gives that feeling of it's ours, and might get more community support)

3. The community could muster the experts willing to start building the 
basic how-to's and answer the myriad of stupid questions that'll come of 
a new community, to the ends of inspiring and teaching a new generation 
of nasl coders. (I'd probably be one of those new coders. Always wanted 
to learn, never had the time or a how-to that dropped into my lap)

4. There were at least a few commercial entities willing to be informal 
sponsors of the project, and make time for their internal nasl experts 
to contribute. This seems unimportant, but I can't emphasize enough the 
importance of the companies that are doing that for bleeding snort, and 
the legitimacy and stability that lends to our project.

Don't take those as conditions or anything like that. Just advice from 
someone that's started many failed projects, and one good one. :) If 
those things come to be I'll happily jump in and do what I can as well. 
I use nessus on a regular basis, and am extremely satisfied with it. I 
want to give back.

But I gotta say, Renaud and Michael and crew often have a plugin out 
before I've had time to read the advisory. :) When we started bleeding 
snort there was a feeling that signatures were being updated far too 
infrequently, that's why we got somewhere I think. I'm not sure there 
are similar conditions in the nessus world. But there is a need for a 
teaching community possibly.

And I'll step down from my soapbox now. :) Happy to expand further if 
there are other questions on the subject.

Matt


--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave