Forgot your password?
typodupeerror
Security IT

Nessus 3.0 Released 108

Posted by ScuttleMonkey
from the now-vulnerable-to-consumer-aquisition dept.
duplo1 writes Tenable Security has announced the release of Nessus 3.0. Nessus is an enterprise level vulnerability scanner and this new version brings a complete rewrite of the Nessus engine redesigned for increased speed and efficiency running on the average, twice as fast as Nessus 2. From the release: "In addition to gaining dramatic improvements in performance, Tenable also provides an optional Direct Feed subscription service for Nessus 3.0 which provides immediate access to new vulnerability checks and entitles Nessus 3.0 users to commercial support from Tenable. The Tenable Plugins include support for a rating methodology called Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."
This discussion has been archived. No new comments can be posted.

Nessus 3.0 Released

Comments Filter:
  • by Anonymous Coward on Tuesday December 13, 2005 @04:29AM (#14244978)
    You know, not GPL anymore. Did that escape you while writing the ad?
    • I was wondering... Do these guys pay the slashdot editors when they release an ad like that? I would seem to be a fair deal.
    • by hug_the_penguin (933796) on Tuesday December 13, 2005 @05:51AM (#14245165) Homepage
      ...the fact it's majorly improved. Of the people here, most of them won't care that it's closed source, purely because of the reason they closed the source. If it hadn't been for rebranding issues, (IMO a fault with the GPL), nessus would still be open source. It's still the best there is, people will still use it.

      Not everyone will avoid anything that isn't free/libre, especially if the quality is good. The free software community brought it upon themselves by not helping out and in the case of the rebranders, for stealing all sources of revenue nessus had when GPL. 100 hour weeks hacking on code don't come for free, you know. We'd all prefer it to be free, but it's not essential

      • by Anonymous Coward
        > Not everyone will avoid anything that isn't free/libre, especially if the quality is good.

        For security related software???

        • Traditionally people have trusted closed source antiviruses and firewalls...
          • Like ClamAV [clamav.net] and pf [openbsd.org]?
      • ...the fact it's majorly improved.

        Except for the license, which apparently took a major step backwards.

        Of the people here, most of them won't care that it's closed source,

        You have no idea. Likely, people who don't regard open and free licenses as important are reading cnet etc. anyway, not slashdot.

        purely because of the reason they closed the source.

        Which is? The two page press release said nothing.

        If it hadn't been for rebranding issues, (IMO a fault with the GPL), nessus would still be

        • Except for the license, which apparently took a major step backwards.

          So it's crap because of the licence? I don't buy that

          You have no idea. Likely, people who don't regard open and free licenses as important are reading cnet etc. anyway, not slashdot.

          I regard them as a nicety, not an essential. End of the day, I want the best security across my servers, and I'd rather accept a closed source nessus with superior detection than an open source gnessus with inferior detection. (Of course if Gnessus takes of

          • So it's crap because of the licence? I don't buy that

            I don't think many people said it's crap (I haven't checked all the posts!). I think people are just disappointed that an important piece of open source has stopped being sponsored. We'll see if the open source version takes off, like ssh/openssh.

            I regard them as a nicety, not an essential. End of the day, I want the best security across my servers, and I'd rather accept a closed source nessus with superior detection than an open source gnessus wit

            • I don't think many people said it's crap (I haven't checked all the posts!). I think people are just disappointed that an important piece of open source has stopped being sponsored. We'll see if the open source version takes off, like ssh/openssh.

              I'm disappointed too, but i can see the logic behind it and i'm optomistic that there will be some improvements. Don't get me wrong, i'm a big fan of free/libre software, and i write an awful lot of it, but that doesn't mean i won't use proprietary software. We wi

          • Except for the license, which apparently took a major step backwards.

            So it's crap because of the licence? I don't buy that

            -----

            So you find that unTenable?

        • I'll bet you use the regularly updated (bugs and speed increases in the last few weeks) 2.x version from Nessus/Tenable being as how little has happened with the biggest fork.

          Though, I guess said fork could simply be a mirror of the regular project.
      • by Kjella (173770) on Tuesday December 13, 2005 @07:49AM (#14245402) Homepage
        If it hadn't been for rebranding issues, (IMO a fault with the GPL), nessus would still be open source.

        If your OSS business model relies on someone else not slapping their logo on it and selling it, then you have the wrong business model. It is not a fault with the GPL, and I'd be very worried if the GPL started making demands on when or if you could fork a project. I can sell "Mynix computers with Mohawk web server, YourSQL database and MyHP scripting language" (= LAMP) any day of the week, I doubt anyone would buy it. As long as the rebranders were respecting the GPL, it is Nessus' fault for not getting through to their customers about who is the source of this tool, and whom to support if they want it to continue. If you can't make any money other than on product sale, perhaps OSS is not for you. I'd much rather accept that than to see the GPL expand to become something like a "look, but don't touch" model.
      • Not everyone will avoid anything that isn't free/libre, especially if the quality is good.

        You're probably right. Only the terminally paranoid will refuse to run a closed source vulnerability finder on their network.

        Then again, the terminally paranoid are pretty much the only audience for this software. People with trusting natures don't tend to become security auditors in the first place, and even if they do, they don't tend to make a career out of it (mainly because they lack the mindset to be truly

    • by Mark Round (211258) on Tuesday December 13, 2005 @06:58AM (#14245299) Homepage
      Which is a major PITA, as there's currently no download for anything other than x86 Linux/FreeBSD. I run Nessus on Solaris (I'm the maintainer for the Blastwave.org packages), and it is this ramification of the license change that I find most infuriating. It wouldn't perhaps be so bad if Tenable could guarantee that all platforms would have binaries available for them - but this means they're leaving a large section of their userbase out in the cold. And woe betide you if you're running anything they consider really obscure or not worth supporting. Here's to the continued development of the forked GPL version.

      • *sigh*

        Just get a $200 e-machine computer from best buy, wipe it, install ubuntu or whatever, and run the new nessus under x86 / linux. If you're worried about security or conformity of machines on your network, leave it turned off when not scanning. Or, boot off of a ubuntu or knoppix live cd and install nessus 3.0, configure it, and run it - save the config file to a thumbdrive for future runs - if you don't want to dedicate a computer to the task.

        While I agree that it would be nice to be able to run it
        • by Mark Round (211258) on Tuesday December 13, 2005 @09:52AM (#14245862) Homepage
          And if I wanted to host this at our datacentre, in order to scan the systems on our network which is firewalled off from the outside world ? I'd then have to shell out for additional rack space, power, etc. Not to mention that in many environments "just bung a live CD into an x86 box" won't get past upper management ? Throwing additional hardware (even if it is "commodity" as you say) is hardly a great solution and only further encourages vendors to provide closed source solutions.

          Once the source is closed, your option of running software on the platform of your choice may be gone forever. You're then totally dependant on the developer to continue supporting your platform. You also, by extension, have to hope they never go out of business, especially if their product incorporates some sort of time-locked licensing. If they wake up one morning and decide that it's no longer economically viable to continue building their product for your platform, you're screwed. Never mind that you may have built your entire infrastructure around a certain technology, and it's not economically viable for you to jump ship to whatever the flavour of the month is; if you want to continue running closed source product X, you have to dance to the beat of the developers' drum.
          • by Anonymous Coward
            Once the source is closed, your option of running software on the platform of your choice may be gone forever. You're then totally dependant on the developer to continue supporting your platform.

            Well, it seems like you were before anyhow because no one else was fucking contributing to the project! Who's running the GPL fork now? Are they maintaining and updating it to the standard that the original was? If not, do you really want to use that as the basis for your security, or do you want to use the be

        • Just get a $200 e-machine computer from best buy, wipe it, install ubuntu or whatever, and run the new nessus under x86 / linux.

          Where the hell do you work that this kind of stunt wouldn't get you fired?

          "Yeah, let me just drag this into the datacenter and hook it up, who will notice?"

          - A.P.

          • For starters, my datacenter is my office. Not everyone has a multi-million dollar facility with voiceprint ID and retina scan for their servers.
            Second, if I'm the sysadmin (and I am, one of 4), no one would question me hooking up a computer to the network. A third party provides our ethernet ports and transit; but that's all they do, and we're responsible for our own security.
            Third, we do have machines that aren't currently in use (either because they've been phased out and are awaiting their final fate,
      • According to the nessus.org [nessus.org] site, OS X, Solaris, and Windows platforms are supported in early 2006. So for those of us who are currently running nessus on these platforms, we are now experiencing a minor inconvience. In the meantime, be patient and test the software out on linux. That way when it comes out on the platform you are already familiar with the changes and can implement them more effectively.
      • It ___CLEARLY___ states that it has been released for Linux/BSD at this time. I'd imagine Solaris, AIX, Windows, and other platforms will follow, but for the time being, they set a release date for Linux/BSD- a large market. Give it time. Let them test Linux/BSD releases and then go from there.
        -M
        • The following platforms will be supported in early 2006 :

                  * Mac OS X 10.3 and 10.4
                  * Microsoft Windows 2000/XP Pro/2003
                  * Solaris 9 and 10
    • ***RTFA*** (Score:3, Informative)

      by sczimme (603413)

      You know, not GPL anymore. Did that escape you while writing the ad?

      From TFA:

      Nessus 3.0 was developed in response to growing market demand from enterprises, government agencies and consultants for a commercially licensed version of Nessus. Nessus 3.0 users will now have access to a number of commercial support and training options from Tenable Network Security. Tenable Network Security will continue to manage, distribute and maintain the open source version, Nessus 2.x. (emphasis mine)

      Did that
      • Or RTF post. I think he was pointing out that the summary of the article did not mention the most news worthy fact in the article.
      • 1) there is a difference between "maintaining" and "developing".
        2) the new version (which is where all active development will happen) changed its license; this was not mentioned in the advertisement appearing at the top of this page and is a pretty fucking significant omission.
        3) you do not get any extra mod points by adding more asterisks.

        in conclusion, stop pretending you are the internet police. you are doing a really shit job of it.
  • by hunterx11 (778171) <hunterx11 AT gmail DOT com> on Tuesday December 13, 2005 @04:30AM (#14244981) Homepage Journal
    Worth mentioning (though it has already been covered here on /.) is that this is the first closed-source version.
  • Hindmost (Score:4, Funny)

    by Spy Handler (822350) on Tuesday December 13, 2005 @04:30AM (#14244982) Homepage Journal
    Nessus is an enterprise level vulnerability scanner

    I thought he was Hindmost's lover :o

  • by Cherita Chen (936355) on Tuesday December 13, 2005 @04:33AM (#14244992) Homepage
  • by perlionex (703104) * <joseph.ganfamily@com> on Tuesday December 13, 2005 @04:39AM (#14245004) Homepage
    Nessus 3.0 is immediately available for download from Tenable...
    Their website [nessus.org] doesn't list 3.0 as being available for download, just the old 2.26. What's up?
  • Ahhh what a pleasure to feel safe and good, knowing that my network is regularly audited by this now non-opensource Nessus security scanner. This product is developed by a respectable company, that really know computers, networks, and stuff like that. They have a fantastic website very well administered, and very safe. You know for sure that for example, given their competence and immense wisdom, such a website will NEVER succumb under intense intrusion attacks, denial of service attacks, and this kind of

  • by Neo-Rio-101 (700494) on Tuesday December 13, 2005 @04:58AM (#14245040)
    Without trying to sound like spam, we're currently using a vulnerability checking system called "nCircle IP360" (yeah, knock off the Xbox jokes). This thing needs constant updates and upgrades in order to keep track of the numerous vulnerabilities out in the wild. The thing even detects a Commodore 64 with ethernet cartridge as a recognized operating system! It too, gives each server it tests a vulnerability score.

    Thing is, when you're talking about constantly updated files for vulnerabilities, we're delving into the realm of virus-scanners and ad-ware scanners. There's gold in those downloadable updates people. Makes sense to me why Nessus is no longer open sourcing their new stuff.
    • You can make an open source scanning and detection engine whilst holding the detection data updates on a monthly contract if you like.

      This is just the same as I can download and use Open Office, but that doesn't mean I should have access to every document created in it.
    • The thing even detects a Commodore 64 with ethernet cartridge as a recognized operating system!

      Are you sure it doesn't just connect to the Contiki web server on Port 80 and print the banner? That seems ever so much more likely than them having an OS fingerprint for the C64 listed.
    • actually if you look at the license disclosure in the nCircle documentation, you'll see that it uses nessus.

      removing the gpl for future developments just allows Tenable to get paid by companies such as nCircle.


    • There's gold in those downloadable updates people. Makes sense to me why Nessus is no longer open sourcing their new stuff.


      Nessus' new engine is closed source and proprietary. The plugins continue to be distributed as they always were (with exception of severan Nessus3-specific plugins). This seems to be completely unlike what you're describing.
  • by ultranova (717540) on Tuesday December 13, 2005 @05:35AM (#14245121)

    Does being an "Enterprise level vulnerability scanner" mean that it can be used to figure out how to remotely shut down the Klingon cloaking device or make a Borg cube self-destruct ?-)

    • No, this is for the Enterprise itself. It keeps pointing to the holo deck as a major source of problems as well as poor security procedures which allows anyone access to engineering and the bridge. It also reports that the firewalls used on the Enterprise are non-existant. Proven by how many times their computer system was taken over by alien programs. Funny, after all these years they appeared to still be running a Windows operating system on that starship. And the fact that aliens knew that and had v
  • To be fair... (Score:4, Insightful)

    by victorhooi (830021) on Tuesday December 13, 2005 @06:10AM (#14245207)
    Guys, lay off the slagging, ok?


    I mean, seriously, it's been GPL all these years, the developers were putting in the hours and the hard work (And don't give me that c*ap about community contributions, because in relative terms, there wasn't really any).


    And they were suffering because people were essentially taking their work and simply rebranding it and selling it as their own. Isn't it only fair that Tenable themselves should now have the opportunity to sell what is, after all predominantly their work?


    I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is for doing what any reasonable person would have done. It's a wonder that Tenable put up with all the other companies selling their work for as long as they did.


    Also, guys, lay off the whole "haha, we slash-dotted your server" cracks..I mean, what can possible stand before the might of /., huh? Sun, eBay, Amazon, all of these petty masses shall cower before us, for we shall crush them under teh (sic) boot of our T1 1337-ness....


    cya,
    Victor

    • I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is

      Nonsense. At the time of writing I don't see even a single post claiming Tenable is evil or anything like it. I do see a number of posts saying that they think the license change is important and a step backwards. Deal with it.

      ---

      Unregulated DRM = Total Customer Control = Ultimate Customer Lockin = Death of the free market.

    • Re:To be fair... (Score:1, Interesting)

      by Anonymous Coward
      I don't know the background, but if others were able to sell their software while it was licensed under the GPL, why can't they?
    • I'm quick sick of all these GPL-fanatical twits going on about how evil Tenable is for doing what any reasonable person would have done. It's a wonder that Tenable put up with all the other companies selling their work for as long as they did.

      Yep. I mean, NetBSD closed the source after OpenBSD rebranded their hard work and started selling CDs. Star dropped the Open Source version of StarOffice because of the relative lack of external development. Remember when Linus started selling "ClosedLinux++" afte

    • One wonders however if it wasn't being GPL for all those years being one thing (besides being a decent system, and filling a niche) that enabled Nessus to gain as much mindshare as it did, which now enables it to close its source and continue on as successfully as they no doubt will.

      This is not meant as a criticism at all. Just musing aloud.

      It'll be interesting to see if the GPL fork goes anywhere also. All of those evil companies that ripped off Nessus should be getting behind the GPL version now, right?
  • by Anonymous Coward
    Another fine example of typical hippies/commies slashdoter mentality.

    Where do you people get off with this entitlement? the application was free for a long time!!! Did any of you tards bother to help them out? the version 2 is still out there. free! you don't like Tenable changing the liscense. Go freaking fork the version 2 and do something usefull other than bitching on someone's else hard work!!!

    what a bunch whiners.
  • Just curious... I mean, Nessus is a pretty despicable centaur, tried to rape Hercules' wife and then, after being fatally wounded, tricks her into poisoning herself with his blood.

    http://en.wikipedia.org/wiki/Nessus_(mythology) [wikipedia.org]

    Perhaps it is named for the Pierson's Puppeteer?
  • by Alexander (8916) on Tuesday December 13, 2005 @08:40AM (#14245545) Homepage
    (Sorry for the following soapbox, but I'm really tired of the profession using terms interchangably)

    "Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."

    1.) Outside of a box infected by a Worm, how can it find a threat?

    Does it actually track down the human or natural threats?

    2.) How does it find "vulnerabilities"? Does it understand the capabilities of the threat source? Make an intuitive judgement on how skilled the attacker is? How does it measure the strengths of surrounding controls that mitigate the vulnerability?

    3.) How does it measure criticality? It instincitively knows that the IIS vuln. on the intranet blog is less critical than the same IIS vuln. on an e-commerce app?

    Perhaps what they mean is that the scanner finds weaknesses, and that the CVSS really makes an educated guess as to the *level of effort* it would require to exploit that weakness by what is in their mind the average attacker.

    Oh, well, at least they aren't claiming to find "risk".

  • Ok they changed the license

    But how can they do this on behalve of all peoples that did contribute to the project? If coder X did submit his code 2 years ago can they decide to change the license of the work that was submitted by coder X?
    • "all the peoples that did contribute to the project?"

      Almost no one contributed. That was the problem. They were doing all the work coding it plus try to run a business supporing it, while other leaches only had to slap a new name on it and support it.

      If others had really been doing some serious contributing to the project so that it wasn't all falling on the Tenable folks shoulders, they wouldn't have switched licenses.

  • Were it not for Nessus' roots in open source it (and Tenable) would have been unlikely to have seen the light of day, and the void they filled would have been instead occupied by some other open source project that accomplished the same goals. Instead our security is being adversely affected by greed when others (eg MySQL, RedHat) have proven that there are profits to be had by providing associated services. It is indeed unfortunate that Slashdot is giving them undeserved publicity.

    Yes, they provided a lot
    • by Anonymous Coward
      Tenable is the one that put the majority of the work into CREATING the project.

      You are entitled to NOTHING. Given how the community has put very little back into the project, I can understand their posistion. I can't understand yours.
      • Dear AP, Please go post at the idealistic, feel-good-and-all-the-users-understand-logic board down the hall. This is the whine, bitch and moan about things you can't control (and things you can, but want to cry about anyway) board! Regards, The Management
  • What this all comes down to is our responsibilities as users and developers to the OSS products we use. Part of the idea behind open source is that the users contribute back to the project to better the project. You do not have to be a developer to do this, you can submit bug reports, help with graphics/web design, help with documentation, etc...

    With the nessus project, yes there is community development, but the amount of contributed code was disproportionate to the long hard hours the core team has p
  • GPL bullshit (Score:2, Insightful)

    by packman (156280)
    Ok - title makes it sound like a troll - or whatever. Fact is, these people have to make a living. Other fact is - a lot of people made a living of their work without giving ANYTHING back.

    As you can see on their CVS servers, there are barely any external contributions. Isn't that the whole point of GPL? Everybody profits from everybodies changes. That didn't happen, so YOU may be using Nessus 2.x without giving anything back. It's not a bad thing, but these people do this for their living. All the bitching

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman

Working...