Nessus 3
Nessus is the security scanner. That’s not just a tagline, it’s the truth. Yes, other people make scanners. Yes, other companies make tons of money off of their scanners, but having used ALL of them (yes, every single purported ’security scanner’, that I have ever heard of, for the last 10 years or so. ALL), Nessus is the “best”.
Historically, one of its major values was its cost (free) as well as its source license (Free/Open). Cost is still, generally, free (restrictions and various non-free necessities apply) … but the source, and the product, are… not. This may upset some to the point of refusing to use it. I’m not one of them.
Nessus is very light-weight, its rule language (NASL) is very intuitive and powerful, and the sheer volume of support and flexibility provided is exceptional. It finds things other scanners only dream to. It can (not by default) work very stealthily, not setting off some IDSes. It can be configured not to destroy the systems it’s scanning. No one builds a better scanner. Truthfully, I wish someone would: Not because I don’t like or want to use Nessus, but because the ecosystem is very homogenous in this space: You either use Nessus, or you may as well find a dowser with a divining rod to point out your vulnerabilities.
Over the years, one of the things that has been failing with Nessus is the interface. I enjoy command-line interfaces as much as the next UNIX junkie, but when you need a tool you can put in the hands of Joe Average, it has to have a graphical interface… It just must. Historically, back when Nessus was free and Free, there was no shortage of Tk/GTK/Web/Qt/etc. etc. interfaces: A lot of those are still around, but are generally handicapped from the newer features. When your license prohibits reverse engineering, it makes it hard for people to maintain their interfaces to your product.
Recently, I re-acquired my main scanning system (after a stealth project became production, literally overnight (over a year ago)), and decided to upgrade everything… Including Nessus. The upgrade was flawless. It found my old install, upgraded it, re-registered my feed, etc. etc. Very slick. I then upgraded the client on my laptop. That was not so smart of me. Following a common trend, Tenable has outed the old interface in place of a “new” Qt-based interface. I have nothing against “new” or “Qt”, but the new interface is missing dozens of previously-exposed features and one… one very IMPORTANT feature has been removed from both the Qt version and the CLI version: html_graph. It appears there is no html_graph in Nessus 3.
What is html_graph? It was a report export format that presented an HTML report of the scanning results along with pie and bar graphs giving you a visual representation of what the report contained. Very very very important when presenting this information to people wearing ties.
I searched the Interlink: No vast outcry! Just one, lonely, unanswered post, reporting the problem and asking for help. I would guess that because he wrote in all lower-case, no one wanted to tell him the harsh truth: You can’t with Nessus 3. Nope. No more XML output. No more HTML+Graphs. No more. I’ll hypothesize this is because of the license changes: They can’t link against a whole slew of Free libraries that do this work for you, because of the shift from libre to locked. That’s just a guess. At first I thought it was just in the Qt-interface, which could have been simply a CBA or porting issue, still on the TODO list: But when I saw the neutered CLI – without XML or html_graph – well, that’s indicative of politics as opposed to growing pains.
So I don’t know, as I’ve said, why these are gone. But they are. Thankfully, as of right now, I can still convert the Nessus 3-generated scan files (NBE) into html_graph and XML using an older version of the Nessus CLI (version 2.something), but it’s a pain, it’s an extra-step (okay, okay, I automated it with 2 lines of Perl, but it’s a pain to someone!!), and it devalues an otherwise very very valuable tool… For if you cannot show pie and bar-graphs to those wearing ties, on-demand, the fact that you have found 4781 security problems is moot.
2 Comments
Other Links to this Post
RSS feed for comments on this post. TrackBack URI
By Greg, December 5, 2008 @ 10:34 am
Would I be able to get a copy of your perl script to convert to 3.0 scans to xml?
By Security Made Easy, July 7, 2009 @ 12:07 pm
I have been using Nessus for a long time, and I definitely agree that removing the html_grahp feature was a bad move. You would think that newer versions would add more features not remove them !! I was also surprised that nobody complained. What I did initially was trying to generate graphs with Excel then I realized that you can use an old Nessus client to do that.
Graphs and Pie charts are definitely important for management.