2

I've see the PVS (passive vulnerability scanner) from Tenable Network Security.

I'm really interested in this kind of approach.

Anyone know if is there any FOSS solution to be used professionally in a company ?

P.S. I know that, from the point of view of functionality, is a sort of NIDS with pattern matching engine with a database of vulnerability, so please don't response to use a a NIDS.

boos
  • 1,066
  • 2
  • 10
  • 21

1 Answers1

1

At a glance, this looks to me as just being a network-based intrusion detection system (Network IDS, or NIDS) with a few special rules. It probably doesn't do anything that Snort couldn't do with the proper tweaks.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • Snort is still the king in IDS-land, but I'm not sure Snort does what PVS does. OpenVAS with a Snort scan for new hosts seems to be the closest to what the OP suggests. – schroeder Jan 05 '12 at 15:28
  • 1
    @schroeder As I understand it, Snort can pretty much alert to any network transmission you can build a signature for. And I don't see Tenable advertising that PVS does anything that you couldn't (at least in theory) build a signature for. – Iszi Jan 05 '12 at 15:55
  • PVS will perform a vulnerability scan on any new machine it detects, which is not a Snort function. Snort reads traffic, it does not perform active scans. – schroeder Jan 05 '12 at 20:04
  • wondering how much effort it would be to script up the same thing in Metasploit :-) – Rory Alsop Jan 06 '12 at 09:49
  • @schroeder That only works if you're also using Nessus and Security Center, though. PVS on its own does not do actual vulnerability scanning. – Iszi Jan 06 '12 at 13:56
  • PVS DON'T do active scanning. It's simple collect traffic from a TAP or span port and then analyze it to found vulnerability. SNORT do Network Intrusion Detection System, detect attack on a network, don't detect vulnerable version on a network analyzing passively the network. – boos Jan 09 '12 at 10:56
  • I don't know well snort but also tweaking it to detect banner of vulnerable host it's don't have any form of management GUI to handle this kind of stuff. Also, supposing I have a Intranet web serve vulnerable, every time a client connect to it, snort will made an Alert about a vulnerable host. Also this kind of hack can't be affordable to be used in a professional way. – boos Jan 09 '12 at 11:04
  • 1
    @boos - Snort is not only very configurable, but many popular rule sets are available for free. Plus - it isn't a hack - snort is designed to be tinkered with in this way. – Rory Alsop Jan 09 '12 at 21:19
  • @Rory You have missing totally the point. do you know what is PVS and what you can do with it? I think no. I know that hypothetically you can made lot of stuff with snort, but it's not imaginable to write down about 40k rule to do what PVS do to do it in snort. Please before reply take a look here: http://www.tenable.com/products/tenable-passive-vulnerability-scanner and here: http://cgi.tenable.com/Features_PVS.pdf. – boos Jan 14 '12 at 16:30
  • 1
    @boos - yes I do know these products pretty well. Seriously, have a look at the snort community forums: many of these rules exist already. – Rory Alsop Jan 14 '12 at 21:10