-
July 30th, 2003, 12:35 PM
#1
Member
Nessus requests
I am doing a test on our servers at work. I have been using Nessus to do traditional vulnerability scans and my question is this:
I want to view the actual requests, in raw format that nessus makes when testing for vulnerabilities. Can the requests be found somewhere so that the actual requests can be viewed?
Thanks!
-
July 30th, 2003, 01:04 PM
#2
You should be able to look into the rules that make a nessus test. I can't tell you where they are but I'm sure it's in the documentation.
If you want to see the 'real' traffic (ip packets et al) why not hook up a sniffer? Ethereal wil do very well.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 30th, 2003, 01:07 PM
#3
Well, it's a bit of a kluge, because I don't know how to do it in Nessus, or if it can be done even, but have you thought about putting something like ethereal downstream of your nessus server so you can examine the packets? I would think either creating a span port (if your switches will support that) or dropping the nessus server on an old hub that you having lying around and putting the ethereal machine on it, (the hub) would give you everything you wanted.
edit----damn, sir dice posted while I was typing. Yeah, what he said.
-
July 30th, 2003, 01:16 PM
#4
Or if using *nix you can fire up "ngrep" while nessus scanning your server, I've done it two month ago..you will see the real traffic too..
Not an image or image does not exist!
Not an image or image does not exist!
-
July 30th, 2003, 01:32 PM
#5
www.majorgeeks.com has a pile of exploit scanners and admin tools to help you in your quest.
-
July 30th, 2003, 01:34 PM
#6
in RH9 the test are in /usr/lib/nessus/plugins and are written in nasl
This will tell you about nasl http://www.nessus.org/doc/nasl2_reference.pdf and from that you should be able to work out whatthe tests are doing (& probably get them to dump input/otput) to files.
HTH
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
July 30th, 2003, 02:24 PM
#7
Member
I am indeed using linux. That grep command sounds interesting. What did the command look like?
-
July 30th, 2003, 06:11 PM
#8
Most linux's have tcpdump or similar... or, at least, the RPMs are fairly accessible from your vendor/distro.
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
-
July 30th, 2003, 07:21 PM
#9
Member
We've had to do this in the past as well. Like 4 or 5 people already said. The "best" way would be a sniffer. Any sniffer will do, just write the output to a file then go back and look at all the traffic. This is good way to prove you ran certian tests, and did not run others (Some clients don't want you running certian tests).
-
July 31st, 2003, 12:09 AM
#10
Originally posted here by Surreal
I am indeed using linux. That grep command sounds interesting. What did the command look like?
"grep" and "ngrep" they are differents:
Code:
NAME
grep, egrep, fgrep, zgrep, zegrep, zfgrep, bzgrep, bzegrep, bzfgrep -
print lines matching a pattern
SYNOPSIS
grep [options] PATTERN [FILE...]
grep [options] [-e PATTERN | -f FILE] [FILE...]
DESCRIPTION
grep searches the named input FILEs (or standard input if no files are
named, or the file name - is given) for lines containing a match to the
given PATTERN. By default, grep prints the matching lines.
In addition, two variant programs egrep and fgrep are available. egrep
is the same as grep -E. fgrep is the same as grep -F. zgrep is the
same as grep -Z. zegrep is the same as grep -EZ. zfgrep is the same
as grep -FZ.
etc
Code:
SYNOPSIS
ngrep <-hXViwqpevxlDtT> <-IO pcap_dump > < -n num > < -d dev > < -A num
> < -s snaplen > < match expression > < bpf filter >
DESCRIPTION
ngrep strives to provide most of GNU grep's common features, applying
them to the network layer. ngrep is a pcap-aware tool that will allow
you to specify extended regular expressions to match against data pay-
loads of packets. It currently recognizes TCP, UDP and ICMP across
Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf fil-
ter logic in the same fashion as more common packet sniffing tools,
such as tcpdump(8) and snoop(1).
etc
So you need to have "ngrep" install on your box and read the manual first..for ngrep and you will know what the command is..
Not an image or image does not exist!
Not an image or image does not exist!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|