eEye Retina

Printable View

Show 40 post(s) from this thread on one page

August 23rd, 2005, 10:54 PM
nebulus200

Quote:

Originally posted here by ric-o
Aspman:

I use Retina at work and it's a great vulnerability auditor. It works best against Windows systems but does check others as well as network devices. They won many awards a few years back and rightfully so.

Some pros:
* Pretty thorough
* Good point-and-click type of tool for folks who dont have tons of time to do auditing

Some cons:
* Reports are weak, very little customization can be done.
* Not an enterprise-class type of tool in the way of managing it.

If you couldn't tell already - I recommend it!

<edit>
Good note Lv4 on the yearly maintenance: without it the product starts becoming useless at the time of expiration because you'll stop getting exploit/audit updates. You gotta have the maintenance for new vuln testing.

One other comment is that we use Retina in a layered audit architecture - it's just one of many tools we use. Others include Nessus, Metasploit Framework, N-Stealth, and other smaller tools.
</edit>

Wanted to make a couple of notes/comments as well:

I've used Retina before and when it runs ok, it is pretty good, but I have had some flakiness problems from it (more on that later). Do want to mention that I do remember seeing something about the enterprise management side for it, but I never really paid that much attention to it, since it wasn't really applicable for anything that I did at that moment. I've run many tools, from Nessus to ISS to cybercop to Retina, and overall, Retina seems to be ok, but here were some of my beefs with it:

1) Piss poor reporting. There just weren't alot of options there, especially remediation. That is one of the things I always liked about ISS (and to some degree nessus), is there were pretty reliable steps to do something about the problem that was discovered. There also were not alot of options as far as how to break out the report. Now I will say there was a possibility that the version I had was nerfed in that respect, but based on earlier comments I suspect it isn't... I will add that it did have the capability in some cases to actually do the remediation itself, but I never had enough guts to turn it on :) (not really my job anyway)

2) Engine quirkiness. Let me preface this by saying this was about a year ago and the issue may be fixed, but Retina basically runs as a System service...you tell it to scan, it adds a job, then the service runs the scan... Well...I had a scan that crapped out totally...and had no way whatosever to get it out of the service...it tried but could never get rid of it...so it kept trying to scan this test system over and over again (even when not connected tot he network)...Like I said, bug may be fixed now, but it was very frustrating to not be able to get rid of that scan gone wrong...

3) Scan quirkiness. There were a couple of the checks that it ran that were kind of braindead...basically there were things out there that would reset a few of the vulnerability checks (tcp reset on the connection), but Retina would totally miss that the connection reset and would basically get stuck in an infinite loop on that vulnerability check, testing, getting reset, and retesting...

Overall, I think it had promise and I certainly have seen worse vulnerability checkers, but I think there is also plenty of room for improvement. We had the cash laying around and had a license for ISS Internet Scanner (and have been using it for yeares), and I have seen nothing in Retina that would make me move away from ISS, though with ISS's pricing schema, it certainly is tempting...

EDIT: Thought of some other things to consider after posting:

1) The composition of your network. Ie, % of windows systems to unix to network devices...things like Retina work really well in Windows environments...whereas things like ISS/Nessus can handle Unix environments pretty smoothly.

2) Number of systems that you are likely to scan at one time. Nessus is quite good at smaller scans (ie, class C or less), but I wouldn't want to try to do a large network with it (class B for example)...whereas something like ISS is a little easier to scan larger networks with (though you do have to be careful not to DOS the network with too much scanning traffic)....

3) Reporting/Remediation. This is after all why you are running the scan. The ability to clearly show trends, common vulnerabilities, and good reports that you are able to use to either fix the systems directly, or make a case to make a change are from my experience important...the easier it is for pointy-hair bosses to understand, the better (but then on top have the capability to then generate a very detailed techincal report)...to me I guess this was the biggest thing I didn't like about Retina...but at the same time, I wouldn't dismiss the possibility that lack of time using it contributed to that frustration...
August 24th, 2005, 12:35 AM
wildred

I can say this....I have used Retina before and it works great. The cost was something that I always had an issue with, but it does do the job well. As mentioned previously, it does require some "getting used to" to actually know what all the features are available. I don't care for the reports too much. They need to be more robust to say the least.

I DO however like SNSI (Sunbelt Network Security Inspector)...it scans Windows/Unix/Linix etc.
I like the fact that portions of the database come from Harris STAT and that the SANS Top vulnerabilities are present. The reports are nice. They use a Crystal Reports backend so it makes it easy to use and to print out a neat "boss friendly" report to turn in. Link to the product is here: http://sunbelt-software.com/SunbeltN...yInspector.cfm
The other cool thing is its licensed per admin, so regardless of how many machines you have, you can use this tool freely.

Thats just my opinion though :)
August 24th, 2005, 04:44 AM
R0n1n

I`ve used (and use) Retina, its ok, although I do agree with Nebulus that it has some flaws and i have seen it as being very flakey at times. You could of course look at one of the other (hundreds) f tools out there - Sunbelt, ISS, Nessus (in all its many versions - NeWT, Outpost 24 etc..).

They all do the same thing so a key point is to pick one that is kept up to date. Several of the tools are supported by research groups who write new exploits etc.. so you can be sure of being up to date.

Although I think at the end of the day a vulnerability scanner is only going to get you so far and then its back to manual procedures.
August 24th, 2005, 08:21 AM
catch

I've used retina religiously for many years now... I've never had a single problem with it. Its reporting functionality is exactly what I look for and its CHAP technology has actually discovered new vulnerabilities.

If I was stuck with one COTS vulnerability I'd choose retina. (as it is, I supplment with nessus and a custom product)

cheers,

catch
August 24th, 2005, 04:29 PM
Aspman

Many thanks for all replies, most useful. Greens on the way.

Also thanks for the suggestions of other scanners to look at, time willing I'll try them but our time scale to access this extra cash is really tight. The boss likes the reputation of Retina so that probably means unless we find it to be trash we'll probably get it.
It's a rush job, not ideal but I'm sure many of you have been in the same situation.

'll probably add to this thread as I'm using it or pm those of you who've offered.
September 6th, 2005, 11:26 AM
Aspman

First impressions

Seems very slow compaired to nessus.

Some bugs appearing already. Aborted scans never dying.

It's superficially easy to use but the manual is pants for using it in more depth.
September 6th, 2005, 05:11 PM
Lv4

Quote:

Some bugs appearing already. Aborted scans never dying.

The funny thing is I think they just reintroduced this bug. I haven't had this problem for a long while now (a couple of months after 5.0 came out) but I /just/ ran in to the problem again a couple of weeks ago after running auto update.

I put in another ticket with them about it, so hopefully it will go away. I'm not real sure why it is back though.
September 6th, 2005, 05:16 PM
Aspman

Just did the same:

Quote:

For whatever reason, the status on these jobs were never updated. To remove them, please do the following...

1. Stop the Retina UI and eEye Retina Engine service
2. Browse to 'Retina 5\Scans' on the filesystem and remove the RTD file associated (named after) the bad scan 3. Start Retina back up and the job should be cleared

I've managed to crash it a couple of times too and I'm only scanning a single machine.
September 6th, 2005, 07:40 PM
Noia

Hmm, I confused this with the Packet sniffer Iris :s no wonder it wasnt making much sence to me. I'd go with Nessus if I were you. Cant truly justify it beyond the fact that its nessus and it rocks....but thats enough for me :)
September 6th, 2005, 07:53 PM
Lv4

Quote:

Originally posted here by Aspman
Just did the same:

I've managed to crash it a couple of times too and I'm only scanning a single machine.

What build number are you using? I just got a response back from Eeye and they are looking in to the issue. The guy said they have had a "number of reports about this issue" so it isn't isolated. I'm just curious as to what builds are affected by it now.

I'm on 5.3.4.1324.

Show 40 post(s) from this thread on one page