RE: nessus exceptions

["Strand, John" <John.Strand () mms gov>]

Hey Chris,

It should be fairly obvious if there is a high level of false positives and
vulnerabilities that make no sense at all. Good penetration and TVA testers
will go through measures to verify as many of the vulnerabilities as
possible. 

So.. 

If there is a ridiculous number of false positives which seem like it would
be obvious in light of a little digging, they are probably just running
Nessus with safe checks on, and not looking into the vulnerabilities any
further.

I wouldn't worry about it to much, it will be painfully apparent when they
submit their report. I have been through many audits, with many different
firms, and vast majority of them (90%) simply run Nessus or ISS then dump a
spreadsheet on your desk with their logo. I have noticed that the smaller
firms tend to do better though.

Nessus is a great tool, but it is only one tool. Any vulnerabilities should
also be verified manually as well (nc, checking versions, etc.) 

Good luck,


John

-----Original Message-----
From: Chris Griffin [mailto:cgriffin () dcmindiana com] 
Sent: Monday, August 02, 2004 12:58 PM
To: pen-test () securityfocus com
Subject: nessus exceptions


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,
Im trying to find some good holes, that aren't major security issues,
that i can create on a machine to see if our testing company really
uses anything other than nessus.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBDo7EeFLbG0PZdVwRAmaSAJ9gHU7w6vbI9DGKWa7xmUQ31qKSBQCgpcpq
cC69CeYr16OsfuYu6u1oe8U=
=bGZi
-----END PGP SIGNATURE-----