English | Deutsch
Home »

OpenVAS Change Request #57: NVT Feed Product Detection Improvements

Status: Voted +7. In progress.

References

Purpose

Consolidation of product detections done by NVTs and supporting tools like nmap.

Rationale

This change request intends a consolidation of the product detection NVTs. Main reasons are:

Effects

In the reports, the number of "Low" messages will decrease, the number of "Log" messages will increase.

Design and Implementation

A new family "Product detections" is to be created where the cleaned up and reworked NVTs will be added.

For any product detection NVT CVSS is set to 0.0 and risk factor to "None".

For any product detection NVT the only messages allowed are log_message() and debug_message().

For any product detection NVT the description should explain how the detection is performed, nothing else.

For any product detection NVT the log_message() should contain only information about special findings that helped to detect the product. For example, the full banner that was retrieved. The user must be enabled to understand how the product detection was performed, what the observed data is and what the conclusion of the product detection was (a CPE in most cases).

For any product detection NVT the CPE should be registered with the host results.

For any product detection NVT a tag "detection" should be added defining the detection method:

One intention of the detection method is a ranking of reliability. A direct package version is more reliable than the associated banner (typical e.g. for Debian where the patches are applied, but not the version indications). Having them as a tag will allow users to search on categories in the NVT database more easily than it would be the case if detection method would only be mentioned in description text.

Product detection NVTs should _not_ try to identify protocols, this is part of Service Detections. Of course, a Service detection can be set as dependency and can also be adequate required keys be defined for protocols.

NVTs that currently do a product detection _and_ a vulnerability assessment should be split up into two NVTs.

NVTs that currently do a product detection _and_ a service detection should be split up into two NVTs.

History