Penetration Testing mailing list archives
Re: [PEN-TEST] ISS not detecting unicode bug??
From: batz <batsy () VAPOUR NET>
Date: Fri, 17 Nov 2000 07:12:10 -0500
On Thu, 16 Nov 2000, Alfred Huger wrote: :The SNI/Ballista position was that checks should be more than a banner :grab and should actually (to a degree) exploit the problem to bring back :'proof positive'. Indeed. From the perspective of using anautomated scanner, the banner grab (if it is available from the service) is vulnerable to false positives. However, if an exploit fails, which is quite common on the first try, especially with overflows and race conditions you run the risk of a false negative. False positives can be verified manually, false negatives are a serious problem. I would say that the best thing a scanner can do is advise the operator of the possibility of a vulnerability, and suggest actions further action. Whisker does this nicely, as does Nessus. IMHO, the most valuble product on the scanning market will be the one that is kept relatively current, has an interactive process where manual intervention and verification can be intergrated into an open, machine parsable reporting format, built in XML or something, and that doesn't require a custom/proprietary viewer. In the hands of a good intrusion team, something that doesn't have up to the minute exploits doesn't matter. It's whether the data and analysis from the intrusion team can be integrated into the report, and the data can be organized _any_ way the team needs it. The team can use their own clue to deal with 0-day problems and methods, it's just that they have to be able to document it. This does not mean 35 choices in how to order or generate the report. It means extracting data from the report and being able to parse it into SQL, XML, hell even awk would be nice, and repackage it as a document. Nessus is alot like this. Unfortunately, even though nessus is probably the best tool out there for many tasks, many companies believe they only get what they pay for. I'm going to stop here before I start ranting about Godel, espistemology, and determinism, lest I sound completely insane. ;) -- batz Reluctant Ninja Defective Technologies
Current thread:
- [PEN-TEST] ISS not detecting unicode bug?? John Doe (Nov 16)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Alfred Huger (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Mark Curphey (Nov 18)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Fred Mobach (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Renaud Deraison (Nov 21)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Alfred Huger (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? batz (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Renaud Deraison (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 17)
- <Possible follow-ups>
- Re: [PEN-TEST] ISS not detecting unicode bug?? Covington, James (ISS California) (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Claudio Pino (Nov 17)