Penetration Testing mailing list archives
RE: nessus exceptions
From: "Strand, John" <John.Strand () mms gov>
Date: Fri, 6 Aug 2004 08:36:00 -0600
Hey Chris, It should be fairly obvious if there is a high level of false positives and vulnerabilities that make no sense at all. Good penetration and TVA testers will go through measures to verify as many of the vulnerabilities as possible. So.. If there is a ridiculous number of false positives which seem like it would be obvious in light of a little digging, they are probably just running Nessus with safe checks on, and not looking into the vulnerabilities any further. I wouldn't worry about it to much, it will be painfully apparent when they submit their report. I have been through many audits, with many different firms, and vast majority of them (90%) simply run Nessus or ISS then dump a spreadsheet on your desk with their logo. I have noticed that the smaller firms tend to do better though. Nessus is a great tool, but it is only one tool. Any vulnerabilities should also be verified manually as well (nc, checking versions, etc.) Good luck, John -----Original Message----- From: Chris Griffin [mailto:cgriffin () dcmindiana com] Sent: Monday, August 02, 2004 12:58 PM To: pen-test () securityfocus com Subject: nessus exceptions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Im trying to find some good holes, that aren't major security issues, that i can create on a machine to see if our testing company really uses anything other than nessus. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBDo7EeFLbG0PZdVwRAmaSAJ9gHU7w6vbI9DGKWa7xmUQ31qKSBQCgpcpq cC69CeYr16OsfuYu6u1oe8U= =bGZi -----END PGP SIGNATURE-----
Current thread:
- Re: nessus exceptions, (continued)
- Re: nessus exceptions FocusHacks (Aug 05)
- Re: nessus exceptions Stefano Zanero (Aug 10)
- Re: nessus exceptions FocusHacks (Aug 05)
- Re: nessus exceptions Paul Johnston (Aug 05)
- RE: nessus exceptions Marc Heuse (Aug 05)
- Re: nessus exceptions DokFLeed.Net (Aug 05)
- RE: nessus exceptions Jerry Shenk (Aug 09)
- RE: nessus exceptions R. DuFresne (Aug 09)
- RE: nessus exceptions Jerry Shenk (Aug 09)
- Re: nessus exceptions Pete Herzog (Aug 05)
- Re: nessus exceptions Chris McNab (Aug 05)
- Re: nessus exceptions H Carvey (Aug 05)
- RE: nessus exceptions Strand, John (Aug 09)