A list of unpatched IE vulnerabilities, currently at 31. yikes!

I was checking out what products Tenable Security, founded by Renaud Deraison and Ron Gula, were offering and ran into their passive vulnerability scanner called NeVO. For the month of September they are offering a free trial of this tool so I decided to give it a spin. NeVO should be deployed much like a NIDS in the fact that it needs to be on a SPAN/mirror port for the hosts that you want to scan and the hardware specs should scale with the size of the pipe. It is signature based, does passive OS detection (utilizing p0f), banner grabbing, and applies regex’es on payloads. NeVO has 656 plugins, or signatures, whereas it’s active vulnerability scanner brother Nessus has 1779 plugins. I started it up with

./nevo -c nevo.conf -r nevo.nsr &

and let it run for a day on my internal network. The next day I took a look at the nevo.nsr file, by default NeVO will write it’s Nessus format output file every 5 minutes, and found a few interesting tidbits of data such as remote banners and a vulnerable version of wget someone was running . Keep in mind I had it running inside my firewall so there wasn’t much traffic.

I think NeVO has it’s best use in:

• high traffic networks where reactive scans aren’t feasible because of disruption risks or volume
• detecting vulnerabilities on machines that aren’t directly owned or controlled by the organization
• networks where machines and open services are dynamic
• complementing a weekly/monthly active scan

Jab at Cisco by Juniper. Jab at DARPA by OpenBSD.

I’ve recently subscribed to the tcpdump-workers mailing list and have learned that the CVS version of tcpdump has support for decrypting IPsec ESP packets. The tcpdump website has daily tarballs of CVS for download. The new option, -E, should be useful in debugging IPsec networking problems and I can’t wait to try it out.