Re: Medium Scale Scanning Best Practices
From: miguel.dilaj@pharma.novartis.comDate: 01/15/02
- Previous message: swlodin@iquest.net: "Medium Scale Scanning Best Practices"
- Maybe in reply to: swlodin@iquest.net: "Medium Scale Scanning Best Practices"
- Next in thread: Erlend J. Leiknes: "Re: Medium Scale Scanning Best Practices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: pen-test@securityfocus.com From: miguel.dilaj@pharma.novartis.com Date: Tue, 15 Jan 2002 13:43:59 -0300
Hello Steve
IMHO, your phrase "For example, the next IIS vulnerability hits. I'd like
to have a quick answer to the question, ..." is not compatible with "
Periodic - weekly/monthly <--------- me".
Perhaps you have to consider Nessus (www.nessus.org) for this task,
activating only the needed plugins each time (i.e. new IIS vulnerability ->
Windows and Web attack plugins only).
Nessus is smart enough to NOT test unusable scripts (i.e. it won't launch a
web attack plugin if there's no webserver on the target host).
You'll also benefit from excellent reports.
Nessus needs a Linux/UNIX box, but you'll need only 1 box for the Nessus
server, you can even use a Windows client to use it.
It could be that somebody else has a better answer. I'm ready to learn.
OTOH, you can consider using some kind of NIDS (for example Snort, from
www.snort.org), so new attacks can be detected/stopped by the NIDS, of
course you've to worry for having the latest and greatest Snort signatures
on place, but then you'll have extra time to do the detailed Nessus scans.
Snort is available for Linux/UNIX/Windows.
Both tools are free and readily available, and have several updates/week
(sometimes).
Cheers,
Miguel Dilaj
swlodin@iquest.net@iquest.net on 15/01/2002 09:16:07
Please respond to swlodin@iquest.net
To: PEN-TEST@securityfocus.com
cc:
Subject: Medium Scale Scanning Best Practices
Good day,
I'm looking for advice into best practices for periodic scanning of a
network
on a medium scale. Here are my definitions:
Frequency
---------
Continuous - near real-time
Periodic - weekly/monthly <--------- me
One time - duh
Scale
-----
Small - a few hosts or maybe a /24 network or two
Medium - many networks, up to /16 types <----------- me
Large - global Internet or many /8 types
Testing Activity **
-------------------
Footprinting
Scanning <----------- me
Enumeration
Penetration
** Taken from Hacking Exposed by the Foundstone guys
I have a global network of many /16 through /26 networks. I'd like to
develop
an inventory of, primarily, machine/OS/Services. I'd prefer to have this
relatively
up-to-date, but not manually performed. Ultimately, I'd like to have a
resource
that could help me identify vulnerable devices given the discovery of a new
vulnerability rather than having to scan the entire network each time.
For example, the next IIS vulnerability hits. I'd like to have a quick
answer
to the question, "what devices are vulnerable". It doesn't matter if the
answer
is the result of "list all Windows OS devices with port 80 or 443 open".
What are the best practices in this area? I have a cobbled-together
solution
using nmap that I'm ready to test, but if there is a better low-cost
solution
I am interested. I've seen ndiff (nmap diff), but I'm not sure that it
would
be easy
to modify that to suit my requirements. How are you dealing with
this situation?
Thanks!
Steve
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: swlodin@iquest.net: "Medium Scale Scanning Best Practices"
- Maybe in reply to: swlodin@iquest.net: "Medium Scale Scanning Best Practices"
- Next in thread: Erlend J. Leiknes: "Re: Medium Scale Scanning Best Practices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
