ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Solved Network Vulnerability Scan with REporting

    IT Discussion
    network scanning network security snort ossec
    7
    24
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dbeato
      last edited by

      I am working on setting up a Network Vulnerability Scan Server running CentOS or Debian and wanted to see what you do in this case when you need reporting. Right now I have

      • Snort
      • OSSEC

      I know of others but want to know which ones you recommend that can work well.

      1 Reply Last reply Reply Quote 2
      • D
        dbeato @stacksofplates
        last edited by

        @stacksofplates said in Network Vulnerability Scan with REporting:

        We have Nessus. Not a huge fan because it just barfs out a ton of information. For >100 systems it might be fine. When you get into thousands of systems overall it's hard to manage and find anything.

        Red Hat has a nice one called Insights. It actually takes into account whether or not you use packages that have vulnerabilities and weights them accordingly. Like if OpenSSL has a vuln and you don't use SSH or HTTPS or anything related to it, it weights that differently than if multiple services were leveraging it. I sat through a demo of it but I don't know the cost.

        OpenVAS does this but is slow and the UI makes me want to cry.

        Rapid7 has Nexpose, but I have no clue on the cost.

        Seccubus works with a few different tools. It might be something to look into.

        https://www.seccubus.com/

        Yeah OpenVAS is slow. I had not used Seccubus for sure.

        1 Reply Last reply Reply Quote 0
        • S
          stacksofplates
          last edited by

          We have Nessus. Not a huge fan because it just barfs out a ton of information. For >100 systems it might be fine. When you get into thousands of systems overall it's hard to manage and find anything.

          Red Hat has a nice one called Insights. It actually takes into account whether or not you use packages that have vulnerabilities and weights them accordingly. Like if OpenSSL has a vuln and you don't use SSH or HTTPS or anything related to it, it weights that differently than if multiple services were leveraging it. I sat through a demo of it but I don't know the cost.

          OpenVAS does this but is slow and the UI makes me want to cry.

          Rapid7 has Nexpose, but I have no clue on the cost.

          Seccubus works with a few different tools. It might be something to look into.

          https://www.seccubus.com/

          D 1 Reply Last reply Reply Quote 3
          • D
            dbeato @stacksofplates
            last edited by

            @stacksofplates said in Network Vulnerability Scan with REporting:

            We have Nessus. Not a huge fan because it just barfs out a ton of information. For >100 systems it might be fine. When you get into thousands of systems overall it's hard to manage and find anything.

            Red Hat has a nice one called Insights. It actually takes into account whether or not you use packages that have vulnerabilities and weights them accordingly. Like if OpenSSL has a vuln and you don't use SSH or HTTPS or anything related to it, it weights that differently than if multiple services were leveraging it. I sat through a demo of it but I don't know the cost.

            OpenVAS does this but is slow and the UI makes me want to cry.

            Rapid7 has Nexpose, but I have no clue on the cost.

            Seccubus works with a few different tools. It might be something to look into.

            https://www.seccubus.com/

            Yeah OpenVAS is slow. I had not used Seccubus for sure.

            1 Reply Last reply Reply Quote 0
            • K
              Kelly
              last edited by

              What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

              D 1 Reply Last reply Reply Quote 1
              • D
                dbeato @Kelly
                last edited by

                @kelly said in Network Vulnerability Scan with REporting:

                What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                We will be using it internally, and ocassionalky external host but 98% will be internal.

                K 1 Reply Last reply Reply Quote 0
                • K
                  Kelly @dbeato
                  last edited by

                  @dbeato said in Network Vulnerability Scan with REporting:

                  @kelly said in Network Vulnerability Scan with REporting:

                  What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                  We will be using it internally, and ocassionalky external host but 98% will be internal.

                  I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.

                  D 1 Reply Last reply Reply Quote 1
                  • D
                    dbeato @Kelly
                    last edited by

                    @kelly said in Network Vulnerability Scan with REporting:

                    @dbeato said in Network Vulnerability Scan with REporting:

                    @kelly said in Network Vulnerability Scan with REporting:

                    What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                    We will be using it internally, and ocassionalky external host but 98% will be internal.

                    I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.

                    So it is agent based, I have used OSSEC and OSSIM for that too.

                    K D 2 Replies Last reply Reply Quote 1
                    • K
                      Kelly @dbeato
                      last edited by

                      @dbeato said in Network Vulnerability Scan with REporting:

                      @kelly said in Network Vulnerability Scan with REporting:

                      @dbeato said in Network Vulnerability Scan with REporting:

                      @kelly said in Network Vulnerability Scan with REporting:

                      What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                      We will be using it internally, and ocassionalky external host but 98% will be internal.

                      I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.

                      So it is agent based, I have used OSSEC and OSSIM for that too.

                      Yup

                      1 Reply Last reply Reply Quote 0
                      • D
                        dafyre
                        last edited by

                        OpenVAS is a good one.

                        D 1 Reply Last reply Reply Quote 0
                        • D
                          dbeato @dafyre
                          last edited by

                          @dafyre said in Network Vulnerability Scan with REporting:

                          OpenVAS is a good one.

                          That is what I am using right now, it has great reporting.

                          1 Reply Last reply Reply Quote 1
                          • D
                            dafyre @dbeato
                            last edited by

                            @dbeato said in Network Vulnerability Scan with REporting:

                            @kelly said in Network Vulnerability Scan with REporting:

                            @dbeato said in Network Vulnerability Scan with REporting:

                            @kelly said in Network Vulnerability Scan with REporting:

                            What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                            We will be using it internally, and ocassionalky external host but 98% will be internal.

                            I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.

                            So it is agent based, I have used OSSEC and OSSIM for that too.

                            OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.

                            D 1 Reply Last reply Reply Quote 0
                            • D
                              dbeato @dafyre
                              last edited by

                              @dafyre said in Network Vulnerability Scan with REporting:

                              @dbeato said in Network Vulnerability Scan with REporting:

                              @kelly said in Network Vulnerability Scan with REporting:

                              @dbeato said in Network Vulnerability Scan with REporting:

                              @kelly said in Network Vulnerability Scan with REporting:

                              What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                              We will be using it internally, and ocassionalky external host but 98% will be internal.

                              I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.

                              So it is agent based, I have used OSSEC and OSSIM for that too.

                              OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.

                              OSSIM is Alien Vault OpenSource and can be more convoluted that OpenVAS as it just has so much information and also can be your Syslog Server as well. It is pretty big.

                              S IRJI 2 Replies Last reply Reply Quote 1
                              • S
                                stacksofplates @dbeato
                                last edited by

                                @dbeato said in Network Vulnerability Scan with REporting:

                                @dafyre said in Network Vulnerability Scan with REporting:

                                @dbeato said in Network Vulnerability Scan with REporting:

                                @kelly said in Network Vulnerability Scan with REporting:

                                @dbeato said in Network Vulnerability Scan with REporting:

                                @kelly said in Network Vulnerability Scan with REporting:

                                What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                                We will be using it internally, and ocassionalky external host but 98% will be internal.

                                I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.

                                So it is agent based, I have used OSSEC and OSSIM for that too.

                                OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.

                                OSSIM is Alien Vault OpenSource and can be more convoluted that OpenVAS as it just has so much information and also can be your Syslog Server as well. It is pretty big.

                                I forgot to mention this one. Wazuh combines ELK and OSSEC. I played with it a while ago and it wasn't too bad to set up.

                                1 Reply Last reply Reply Quote 2
                                • D
                                  dbeato
                                  last edited by

                                  OpenVAS has been working fine, now I am playing with Wazuh 🙂

                                  1 Reply Last reply Reply Quote 0
                                  • IRJI
                                    IRJ @dbeato
                                    last edited by

                                    @dbeato said in Network Vulnerability Scan with REporting:

                                    @dafyre said in Network Vulnerability Scan with REporting:

                                    @dbeato said in Network Vulnerability Scan with REporting:

                                    @kelly said in Network Vulnerability Scan with REporting:

                                    @dbeato said in Network Vulnerability Scan with REporting:

                                    @kelly said in Network Vulnerability Scan with REporting:

                                    What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                                    We will be using it internally, and ocassionalky external host but 98% will be internal.

                                    I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.

                                    So it is agent based, I have used OSSEC and OSSIM for that too.

                                    OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.

                                    OSSIM is Alien Vault OpenSource and can be more convoluted that OpenVAS as it just has so much information and also can be your Syslog Server as well. It is pretty big.

                                    Alien vault just uses openvas with their gui on top. I've confirmed this with their support.

                                    D 1 Reply Last reply Reply Quote 2
                                    • D
                                      dbeato @IRJ
                                      last edited by

                                      @irj said in Network Vulnerability Scan with REporting:

                                      @dbeato said in Network Vulnerability Scan with REporting:

                                      @dafyre said in Network Vulnerability Scan with REporting:

                                      @dbeato said in Network Vulnerability Scan with REporting:

                                      @kelly said in Network Vulnerability Scan with REporting:

                                      @dbeato said in Network Vulnerability Scan with REporting:

                                      @kelly said in Network Vulnerability Scan with REporting:

                                      What perspective are you scanning from: external; internal, uncredentialed; or internal, trusted? That will affect the tools you use. We used Lynis (https://cisofy.com/lynis/), but that was more about compliance and vulnerability testing from an internal, trusted perspective.

                                      We will be using it internally, and ocassionalky external host but 98% will be internal.

                                      I liked Lynis, but it runs on every device you need to scan rather than performing an external scan. This is more about hardening to protect from an attack instead of simulating a hostile reconnaissance.

                                      So it is agent based, I have used OSSEC and OSSIM for that too.

                                      OSSIM is good, as I think it has a built in Vulnerability scanner too, but it's more like a Snort / Suricata / IDS log collecter, IIRC.

                                      OSSIM is Alien Vault OpenSource and can be more convoluted that OpenVAS as it just has so much information and also can be your Syslog Server as well. It is pretty big.

                                      Alien vault just uses openvas with their gui on top. I've confirmed this with their support.

                                      YEs, just too many things in one system.

                                      1 Reply Last reply Reply Quote 2
                                      • nadnerBN
                                        nadnerB
                                        last edited by

                                        We're using InsightVM (product of Rapid7).

                                        1 Reply Last reply Reply Quote 0
                                        • ObsolesceO
                                          Obsolesce
                                          last edited by Obsolesce

                                          I really like OpenVAS and never noticed it being slow... it scans, and reports it's findings in an excellent way. Very intuitive and useful. It is worth spinning one up.

                                          D 1 Reply Last reply Reply Quote 0
                                          • D
                                            dbeato @Obsolesce
                                            last edited by

                                            @obsolesce said in Network Vulnerability Scan with REporting:

                                            I really like OpenVAS and never noticed it being slow... it scans, and reports it's findings in an excellent way. Very intuitive and useful. It is worth spinning one up.

                                            It is slow to start the tasks

                                            IRJI 1 Reply Last reply Reply Quote 0
                                            • IRJI
                                              IRJ @dbeato
                                              last edited by

                                              @dbeato said in Network Vulnerability Scan with REporting:

                                              @obsolesce said in Network Vulnerability Scan with REporting:

                                              I really like OpenVAS and never noticed it being slow... it scans, and reports it's findings in an excellent way. Very intuitive and useful. It is worth spinning one up.

                                              It is slow to start the tasks

                                              Definitely.

                                              Nessus is so much faster. In a big environment, OpenVas just isn't usable. It isn't bad for smaller environments, though.

                                              D 1 Reply Last reply Reply Quote 1
                                              • 1
                                              • 2
                                              • 2 / 2
                                              • First post
                                                Last post