Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27

Thread: eEye Retina

  1. #11
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by ric-o
    Aspman:

    I use Retina at work and it's a great vulnerability auditor. It works best against Windows systems but does check others as well as network devices. They won many awards a few years back and rightfully so.

    Some pros:
    * Pretty thorough
    * Good point-and-click type of tool for folks who dont have tons of time to do auditing

    Some cons:
    * Reports are weak, very little customization can be done.
    * Not an enterprise-class type of tool in the way of managing it.

    If you couldn't tell already - I recommend it!

    <edit>
    Good note Lv4 on the yearly maintenance: without it the product starts becoming useless at the time of expiration because you'll stop getting exploit/audit updates. You gotta have the maintenance for new vuln testing.

    One other comment is that we use Retina in a layered audit architecture - it's just one of many tools we use. Others include Nessus, Metasploit Framework, N-Stealth, and other smaller tools.
    </edit>
    Wanted to make a couple of notes/comments as well:

    I've used Retina before and when it runs ok, it is pretty good, but I have had some flakiness problems from it (more on that later). Do want to mention that I do remember seeing something about the enterprise management side for it, but I never really paid that much attention to it, since it wasn't really applicable for anything that I did at that moment. I've run many tools, from Nessus to ISS to cybercop to Retina, and overall, Retina seems to be ok, but here were some of my beefs with it:

    1) Piss poor reporting. There just weren't alot of options there, especially remediation. That is one of the things I always liked about ISS (and to some degree nessus), is there were pretty reliable steps to do something about the problem that was discovered. There also were not alot of options as far as how to break out the report. Now I will say there was a possibility that the version I had was nerfed in that respect, but based on earlier comments I suspect it isn't... I will add that it did have the capability in some cases to actually do the remediation itself, but I never had enough guts to turn it on (not really my job anyway)

    2) Engine quirkiness. Let me preface this by saying this was about a year ago and the issue may be fixed, but Retina basically runs as a System service...you tell it to scan, it adds a job, then the service runs the scan... Well...I had a scan that crapped out totally...and had no way whatosever to get it out of the service...it tried but could never get rid of it...so it kept trying to scan this test system over and over again (even when not connected tot he network)...Like I said, bug may be fixed now, but it was very frustrating to not be able to get rid of that scan gone wrong...

    3) Scan quirkiness. There were a couple of the checks that it ran that were kind of braindead...basically there were things out there that would reset a few of the vulnerability checks (tcp reset on the connection), but Retina would totally miss that the connection reset and would basically get stuck in an infinite loop on that vulnerability check, testing, getting reset, and retesting...

    Overall, I think it had promise and I certainly have seen worse vulnerability checkers, but I think there is also plenty of room for improvement. We had the cash laying around and had a license for ISS Internet Scanner (and have been using it for yeares), and I have seen nothing in Retina that would make me move away from ISS, though with ISS's pricing schema, it certainly is tempting...

    EDIT: Thought of some other things to consider after posting:

    1) The composition of your network. Ie, % of windows systems to unix to network devices...things like Retina work really well in Windows environments...whereas things like ISS/Nessus can handle Unix environments pretty smoothly.

    2) Number of systems that you are likely to scan at one time. Nessus is quite good at smaller scans (ie, class C or less), but I wouldn't want to try to do a large network with it (class B for example)...whereas something like ISS is a little easier to scan larger networks with (though you do have to be careful not to DOS the network with too much scanning traffic)....

    3) Reporting/Remediation. This is after all why you are running the scan. The ability to clearly show trends, common vulnerabilities, and good reports that you are able to use to either fix the systems directly, or make a case to make a change are from my experience important...the easier it is for pointy-hair bosses to understand, the better (but then on top have the capability to then generate a very detailed techincal report)...to me I guess this was the biggest thing I didn't like about Retina...but at the same time, I wouldn't dismiss the possibility that lack of time using it contributed to that frustration...

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #12
    Senior Member
    Join Date
    May 2002
    Posts
    256
    I can say this....I have used Retina before and it works great. The cost was something that I always had an issue with, but it does do the job well. As mentioned previously, it does require some "getting used to" to actually know what all the features are available. I don't care for the reports too much. They need to be more robust to say the least.

    I DO however like SNSI (Sunbelt Network Security Inspector)...it scans Windows/Unix/Linix etc.
    I like the fact that portions of the database come from Harris STAT and that the SANS Top vulnerabilities are present. The reports are nice. They use a Crystal Reports backend so it makes it easy to use and to print out a neat "boss friendly" report to turn in. Link to the product is here: http://sunbelt-software.com/SunbeltN...yInspector.cfm
    The other cool thing is its licensed per admin, so regardless of how many machines you have, you can use this tool freely.

    Thats just my opinion though
    Sex is like \"Social Security\". You get a little each month, but it\'s not enough to live on.

  3. #13
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    I`ve used (and use) Retina, its ok, although I do agree with Nebulus that it has some flaws and i have seen it as being very flakey at times. You could of course look at one of the other (hundreds) f tools out there - Sunbelt, ISS, Nessus (in all its many versions - NeWT, Outpost 24 etc..).

    They all do the same thing so a key point is to pick one that is kept up to date. Several of the tools are supported by research groups who write new exploits etc.. so you can be sure of being up to date.

    Although I think at the end of the day a vulnerability scanner is only going to get you so far and then its back to manual procedures.
    Quis custodiet ipsos custodes

  4. #14
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I've used retina religiously for many years now... I've never had a single problem with it. Its reporting functionality is exactly what I look for and its CHAP technology has actually discovered new vulnerabilities.

    If I was stuck with one COTS vulnerability I'd choose retina. (as it is, I supplment with nessus and a custom product)

    cheers,

    catch

  5. #15
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Many thanks for all replies, most useful. Greens on the way.

    Also thanks for the suggestions of other scanners to look at, time willing I'll try them but our time scale to access this extra cash is really tight. The boss likes the reputation of Retina so that probably means unless we find it to be trash we'll probably get it.
    It's a rush job, not ideal but I'm sure many of you have been in the same situation.

    'll probably add to this thread as I'm using it or pm those of you who've offered.

  6. #16
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152

    First impressions

    Seems very slow compaired to nessus.

    Some bugs appearing already. Aborted scans never dying.

    It's superficially easy to use but the manual is pants for using it in more depth.

  7. #17
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Some bugs appearing already. Aborted scans never dying.
    The funny thing is I think they just reintroduced this bug. I haven't had this problem for a long while now (a couple of months after 5.0 came out) but I /just/ ran in to the problem again a couple of weeks ago after running auto update.

    I put in another ticket with them about it, so hopefully it will go away. I'm not real sure why it is back though.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  8. #18
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Just did the same:

    For whatever reason, the status on these jobs were never updated. To remove them, please do the following...

    1. Stop the Retina UI and eEye Retina Engine service
    2. Browse to 'Retina 5\Scans' on the filesystem and remove the RTD file associated (named after) the bad scan 3. Start Retina back up and the job should be cleared
    I've managed to crash it a couple of times too and I'm only scanning a single machine.

  9. #19
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Hmm, I confused this with the Packet sniffer Iris :s no wonder it wasnt making much sence to me. I'd go with Nessus if I were you. Cant truly justify it beyond the fact that its nessus and it rocks....but thats enough for me
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  10. #20
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Originally posted here by Aspman
    Just did the same:



    I've managed to crash it a couple of times too and I'm only scanning a single machine.

    What build number are you using? I just got a response back from Eeye and they are looking in to the issue. The guy said they have had a "number of reports about this issue" so it isn't isolated. I'm just curious as to what builds are affected by it now.


    I'm on 5.3.4.1324.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •