English | Deutsch
Home »

OpenVAS Change Request #1: Introduce OID as replacement for script_id

Status: Voted +5. Done. Legacy OID URLs implemented in OpenVAS-Client since 1.0.3, exclusive use of OIDs since 2.0.0.

Purpose

To support distributed development of NVTs avoiding ID-conflicts on a systematic base.

To avoid confusion or/and conflicts with Nessus script IDs from which IDs are inherited but where the scripts may differ meanwhile due to maintenance modifications.

References

Discussion on openvas-discuss mailing list

Rationale

The current ID-scheme for NVTs is based on integer values. Scripts inherited from Nessus have IDs 1NNNN and 2NNNN, the Debian Local Security Checks (DLSCs) have 5NNNN and 6NNNN - not all values in these ranges are consumed for Scripts.

It is a conceivable option to continue with assign further ranges to specific contributors, but this will cause problems, because either the ranges are too big and the ID space exceeds or the ranges are small and multiple assignments need to be managed for the same contributor. Assignments to Families reveal other problems: The range was to small and a family might be distributed of two or more ID ranges.

A more generic alternative is the use of an OID scheme which solves:

Effects

In effect this means, new OpenVAS Servers can use old NASL scripts, but old servers will not be able to handle new NASL scripts. Since it does make sense to manage a special Feed with old ID scheme (high effort) any OpenVAS users will be forced to update to the new server if they want to use the new scripts. Thus, the new OpenVAS server should be released and distributed prior to starting to apply OID in scripts. A clear timeline must be communicated to all users by when they have to update the server at the latest.

Even earlier the OpenVAS clients need to be updated (highest priority).

It needs to be evaluated whether it makes sense to have a convenience work around in a way that OIDs are transformed into Integer IDs (e.g. 1.3.6.1.4.1.25623.1.0.1157.1 to 11001157001). It is not possible to ensure uniqueness of convenience IDs but they would be quite unlikely. In case a convenience ID is applied, backward compatibility would be possible to some extent.

Design and Implementation

OID Scheme by examples:

Note: OpenVAS OIDs can be applied to arbitrary things, so NVTs are only one group.

Legacy OID for old Nessus script ID 976:
1.3.6.1.4.1.25623.1.0.976 = iso.org.dod.internet.private.enterprise.OpenVAS.NVT.legacy.976

Group for support scripts (e.g. information gatherer):
1.3.6.1.4.1.25623.1.1 = iso.org.dod.internet.private.enterprise.OpenVAS.NVT.lib

Support script for gathering the package information from target host (gather-package-list.nasl):
1.3.6.1.4.1.25623.1.1.1 = iso.org.dod.internet.private.enterprise.OpenVAS.libraries.gather-package-list

Family of Local Vulnerability Checks Level 1 for Debian Security Alerts:
1.3.6.1.4.1.25623.1.2 = iso.org.dod.internet.private.enterprise.OpenVAS.NVT.DSA-LVT-L1

Version 1 of DSA 1157 implemented as Local Vulnerability Check Level 1:
1.3.6.1.4.1.25623.1.2.1157.1 = iso.org.dod.internet.private.enterprise.OpenVAS.NVT.DSA.1157.1

History