OpenVAS Change Request #57: NVT Feed Product Detection Improvements
Status: Voted +7. In progress.
Consolidation of product detections done by NVTs and supporting tools like nmap.
This change request intends a consolidation of the product detection NVTs. Main reasons are:
Have a separation between service detection (protocols) and actual products so that ultimately developers have a precise guide and examples how to write new ones, where to find existing ones and how to use the product detections for actual vulnerability assessment.
Have product detection create no noise in terms of alerting. The plain detection of a product should not raise an alarm. Thus reports should contain less noise.
Inform the user always how a vulnerability test acquired the product information. It is often relevant whether it was a remote banner or a direct package version detection.
In the reports, the number of "Low" messages will decrease, the number of "Log" messages will increase.
Design and Implementation
A new family "Product detections" is to be created where the cleaned up and reworked NVTs will be added.
For any product detection NVT CVSS is set to 0.0 and risk factor to "None".
For any product detection NVT the only messages allowed are log_message() and debug_message().
For any product detection NVT the description should explain how the detection is performed, nothing else.
For any product detection NVT the log_message() should contain only information about special findings that helped to detect the product. For example, the full banner that was retrieved. The user must be enabled to understand how the product detection was performed, what the observed data is and what the conclusion of the product detection was (a CPE in most cases).
For any product detection NVT the CPE should be registered with the host results.
For any product detection NVT a tag "detection" should be added defining the detection method:
One intention of the detection method is a ranking of reliability. A direct package version is more reliable than the associated banner (typical e.g. for Debian where the patches are applied, but not the version indications). Having them as a tag will allow users to search on categories in the NVT database more easily than it would be the case if detection method would only be mentioned in description text.
Product detection NVTs should _not_ try to identify protocols, this is part of Service Detections. Of course, a Service detection can be set as dependency and can also be adequate required keys be defined for protocols.
NVTs that currently do a product detection _and_ a vulnerability assessment should be split up into two NVTs.
NVTs that currently do a product detection _and_ a service detection should be split up into two NVTs.
- 2011-11-21 Henri Doreau <henri.doreau at greenbone dot net>:
- 2011-11-10 Henri Doreau <henri.doreau at greenbone dot net>:
Added reference to the implementation proposal.
- 2011-10-27 Jan-Oliver Wagner <jan-oliver.wagner at greenbone dot net>: