Re: MBSA scanner

From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Tue May 04 2004 - 08:00:15 EDT

• Next message: H D Moore: "Re: info on dir traversal techniques, any?"
• Previous message: Filipe A.: "RE: PacketShaper"
• In reply to: Igor Filippov: "RE: MBSA scanner"
• Next in thread: Rob Shein: "RE: MBSA scanner"
• Reply: Rob Shein: "RE: MBSA scanner"
• Reply: Igor Filippov: "Re: MBSA scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Since you asked for comments here they are:

Igor Filippov wrote:
(...)
> Sara (many things also apply to Nessus):
> Good:
> - It's free

That's, unfortunately, not really true. Sara is built upon Satan which
is _not_ free. Check your COPYING file:

"Redistribution and use in source and binary forms are permitted
provided that this entire copyright notice is duplicated in all such
copies. No charge, other than an "at-cost" distribution fee, may be
charged for copies, derivations, or distributions of this material
without the express written consent of the copyright holders."

Since the "material" includes the documentation included in a report.
If you sold a commercial service which includes a Sara (or SAINT, for
that matter) report, you are violating its copyright. I doubt that
either Dan Farmer, Wietse Venema or the ARSC guys are going to pursue
you but if you use the data in any commercial way you _are_ violating
the license it was distributed you with.

Notice that SAINT, in this respect is even worst, since _they_ (the
company) are violating SATAN's license by charging money for the
redistribution of SATAN code (in their propietary product). I've
brought this to the attention of Mr. Farmer and Mr. Venema in the past.

Sara used to be GPL, but obviously that license is incompatible to the
real SATAN license and they have ammended that.

> - It runs on Linux

Well, that's not always a plus for everyone (it is for me :-)

> MBSA (most apply also to HFNetChk):
> Good:
> - It's free

Not free enough, read its EULA. Also, from the installation:

"Unauthorized reproduction or distribution of this program, or any
portion of it, may result in severe civil and criminal penalties...."

This makes it "not free enough" for professional auditors since you
_cannot_ include information from a BSA scan/report in any of your
audit reports. Again, Microsoft might or might not want to pursue this
  misuse.

Just to clear up the facts, the only free (in all senses) and
professional remote vulnerability scanner I know of are Nessus. For
free local vulnerability scanners I believe that OVAL [1] will become
a good alternative in the near future.

Regards

Javier

[1] http://oval.mitre.org

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: H D Moore: "Re: info on dir traversal techniques, any?"
• Previous message: Filipe A.: "RE: PacketShaper"
• In reply to: Igor Filippov: "RE: MBSA scanner"
• Next in thread: Rob Shein: "RE: MBSA scanner"
• Reply: Rob Shein: "RE: MBSA scanner"
• Reply: Igor Filippov: "Re: MBSA scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:53 EDT