Solved Network Vulnerability Scan with REporting
-
I am working on setting up a Network Vulnerability Scan Server running CentOS or Debian and wanted to see what you do in this case when you need reporting. Right now I have
- Snort
- OSSEC
I know of others but want to know which ones you recommend that can work well.
-
@stacksofplates said in Network Vulnerability Scan with REporting:
We have Nessus. Not a huge fan because it just barfs out a ton of information. For >100 systems it might be fine. When you get into thousands of systems overall it's hard to manage and find anything.
Red Hat has a nice one called Insights. It actually takes into account whether or not you use packages that have vulnerabilities and weights them accordingly. Like if OpenSSL has a vuln and you don't use SSH or HTTPS or anything related to it, it weights that differently than if multiple services were leveraging it. I sat through a demo of it but I don't know the cost.
OpenVAS does this but is slow and the UI makes me want to cry.
Rapid7 has Nexpose, but I have no clue on the cost.
Seccubus works with a few different tools. It might be something to look into.
Yeah OpenVAS is slow. I had not used Seccubus for sure.
-
We have Nessus. Not a huge fan because it just barfs out a ton of information. For >100 systems it might be fine. When you get into thousands of systems overall it's hard to manage and find anything.
Red Hat has a nice one called Insights. It actually takes into account whether or not you use packages that have vulnerabilities and weights them accordingly. Like if OpenSSL has a vuln and you don't use SSH or HTTPS or anything related to it, it weights that differently than if multiple services were leveraging it. I sat through a demo of it but I don't know the cost.
OpenVAS does this but is slow and the UI makes me want to cry.
Rapid7 has Nexpose, but I have no clue on the cost.
Seccubus works with a few different tools. It might be something to look into.
-
@stacksofplates said in Network Vulnerability Scan with REporting:
We have Nessus. Not a huge fan because it just barfs out a ton of information. For >100 systems it might be fine. When you get into thousands of systems overall it's hard to manage and find anything.
Red Hat has a nice one called Insights. It actually takes into account whether or not you use packages that have vulnerabilities and weights them accordingly. Like if OpenSSL has a vuln and you don't use SSH or HTTPS or anything related to it, it weights that differently than if multiple services were leveraging it. I sat through a demo of it but I don't know the cost.
OpenVAS does this but is slow and the UI makes me want to cry.
Rapid7 has Nexpose, but I have no clue on the cost.
Seccubus works with a few different tools. It might be something to look into.
Yeah OpenVAS is slow. I had not used Seccubus for sure.
-
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
-
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
-
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.
-
@kelly said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.
So it is agent based, I have used OSSEC and OSSIM for that too.
-
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.
So it is agent based, I have used OSSEC and OSSIM for that too.
Yup
-
OpenVAS is a good one.
-
@dafyre said in Network Vulnerability Scan with REporting:
OpenVAS is a good one.
That is what I am using right now, it has great reporting.
-
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.
So it is agent based, I have used OSSEC and OSSIM for that too.
OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.
-
@dafyre said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.
So it is agent based, I have used OSSEC and OSSIM for that too.
OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.
OSSIM is Alien Vault OpenSource and can be more convoluted that OpenVAS as it just has so much information and also can be your Syslog Server as well. It is pretty big.
-
@dbeato said in Network Vulnerability Scan with REporting:
@dafyre said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.
So it is agent based, I have used OSSEC and OSSIM for that too.
OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.
OSSIM is Alien Vault OpenSource and can be more convoluted that OpenVAS as it just has so much information and also can be your Syslog Server as well. It is pretty big.
I forgot to mention this one. Wazuh combines ELK and OSSEC. I played with it a while ago and it wasn't too bad to set up.
-
OpenVAS has been working fine, now I am playing with Wazuh
-
@dbeato said in Network Vulnerability Scan with REporting:
@dafyre said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.
So it is agent based, I have used OSSEC and OSSIM for that too.
OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.
OSSIM is Alien Vault OpenSource and can be more convoluted that OpenVAS as it just has so much information and also can be your Syslog Server as well. It is pretty big.
Alien vault just uses openvas with their gui on top. I've confirmed this with their support.
-
@irj said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@dafyre said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
@dbeato said in Network Vulnerability Scan with REporting:
@kelly said in Network Vulnerability Scan with REporting:
What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.
We will be using it internally, and ocassionalky external host but 98% will be internal.
I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.
So it is agent based, I have used OSSEC and OSSIM for that too.
OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.
OSSIM is Alien Vault OpenSource and can be more convoluted that OpenVAS as it just has so much information and also can be your Syslog Server as well. It is pretty big.
Alien vault just uses openvas with their gui on top. I've confirmed this with their support.
YEs, just too many things in one system.
-
We're using InsightVM (product of Rapid7).
-
I really like OpenVAS and never noticed it being slow... it scans, and reports it's findings in an excellent way. Very intuitive and useful. It is worth spinning one up.
-
@obsolesce said in Network Vulnerability Scan with REporting:
I really like OpenVAS and never noticed it being slow... it scans, and reports it's findings in an excellent way. Very intuitive and useful. It is worth spinning one up.
It is slow to start the tasks
-
@dbeato said in Network Vulnerability Scan with REporting:
@obsolesce said in Network Vulnerability Scan with REporting:
I really like OpenVAS and never noticed it being slow... it scans, and reports it's findings in an excellent way. Very intuitive and useful. It is worth spinning one up.
It is slow to start the tasks
Definitely.
Nessus is so much faster. In a big environment, OpenVas just isn't usable. It isn't bad for smaller environments, though.
