
Flan Scan: Lightweight Network Vulnerability Scanner - 0xmohit
https://blog.cloudflare.com/introducing-flan-scan/
======
hannob
I ran it against a few servers I'm responsible for. I'm not impressed.

I got a large number of reports for a Debian system running Apache. These were
all old vulnerabilities where fixes were backported to Debian's packages, so
these are false positives. Also got a warning for another server about the
recent XMSS issue in OpenSSH, which is code that is disabled by default (and
disabled on the scanned server).

It seems all this tool does is some kind of version matching (i.e. "a CVE has
been reported for version x.y.z of software A, so a server running x.y.z is
vulnerable"). This is a poor proxy for the actual existence of a
vulnerability. It's not a "vulnerability scanner" in a sense that it actually
tests for the presence of a vulnerability.

(Full disclosure: Just copied over my comment I posted on reddit earlier
today)

~~~
thaumaturgy
This has been my experience with similar tools (mostly openvas / greenbone)
and companies peddling vulnerability tests for compliance purposes. There
doesn't seem to be a lot of "functional scanning" in this space, like you're
talking about.

So I agree the false positives are a pain in networks with patched systems but
this also seems to be standard behavior.

~~~
ejcx
Yes it’s unfortunately standard for expensive scanners too.

Our goal was to make something easy to run and deploy with similar results to
something like openvas or Nessus.

I personally think accuracy issues are because security vendors don’t want to
show that their expensive software found nothing, so they dial down the
accuracy. This works using the same methods as a Nessus, banner grabbing and
indexing issues.

We are going to keep working on this and look for ways to make it more
accurate, but I’d say our results with this versus our expensive scanners was
pretty much the same.

~~~
jascii
"I personally think accuracy issues are because security vendors don’t want to
show that their expensive software found nothing"

That might be a bit cynical, not sure I'd call openvas expensive.. I think it
comes down to the fact that the damage of a single false negative can far
outweigh the cost of the false positives. In the end, these scanners are
mostly a tool to help document your security efforts, often for compliance
reasons, making you think about and document the choices you make from a
security perspective.

~~~
ejcx
Definitely a little cynical =]. I think the same thing about a lot of 3rd
party security consulting.

OpenVAS is free, but the big issue we've had with it is the complexity of
setting it up and maintaining it. We are a security team, and would rather not
spend our time managing servers, especially since we aren't the best people to
do that at Cloudflare.

~~~
bostik
Yeah, OpenVAS is a nasty piece of work to set up and operate reliably.
Especially headless.

Shameless plug: I got it to work. Will be doing a talk about the experience at
week's DC4420 meeting.

~~~
papower
Are you in a position to share that session online or perhaps a blog post on
your experience and approach ?

I've looked at it (openvas), got something working, but was never happy with
it and ended up returning to a simpler/proven nmap base that I could manage
better and add complexity if/when needed.

~~~
bostik
I was planning to do a blog post in about a month's time. The DC4420 meetings
and/or talks are not recorded (luckily!), but I intend to polish the talk up
for a future re-run.

On the other hand.. I _do_ have something that might be enough to get you
going. The setup we built is open: [https://github.com/smarkets/vuln-
scanner](https://github.com/smarkets/vuln-scanner) \- go have a look.

The glue code has comments on some of the stranger bugs I had to work around.
So does the readme. If something isn't clear, feel free to ask.

~~~
papower
Thanks, looks promising.

One of my challanges was understanding the the zoo of tests OpenVAS would run
and trying to reliably select which ones to apply. Did you, or anyone here,
ever spot a way of outputting all the tests (nmap scripts etc.) that a
particular run would trigger (but without actually running them)

~~~
bostik
Sadly no. We tried to figure out a way to reliably and permanently disable a
whole suit of test scripts, but that got surprisingly fiddly.

I _think_ there might be a way to choose categories to include/exclude but
haven't had the time to actually investigate.

------
bloblaw
Remember: This is a 50 line Python script that is a wrapper for nmap + vulners
NSE script.

It's not a product, but some simple automation around existing tooling. Better
than paying $$$ for a full fledged scanner? Maybe, but depends on your use
case.

------
0xmohit
Flan Scan is a thin wrapper around Nmap that converts this popular open source
tool into a vulnerability scanner with the added benefit of easy deployment.

------
ejcx
Feel free to ask any questions you have. We have quite a few folks from
Cloudflare's security team here.

~~~
ignoramous
Vulners.com isn't a free service, are there other cheaper alternatives
(perhaps less comprehensive) that maintain database of vulnerabilities?

Interestingly, the very impressive infosec people behind Vulners are employed
(?) by QIWI, a Russian payments company. That isn't an issue now that you
publicly claim to use their service, but were there any reservations raised by
legal or otherwise?

How much in relative terms were the cost savings when Cloudflare did switch to
in-house audits via Flan Scan given the requirements / development /
operational / maintenance effort expended + licensing service from Vulners?

Does Flan Scan also scan network equipment (like switches, routers etc)?

Given the complex heterogeneous nature of the global Cloudflare network, what
did the deployment process look like? Will there a follow-up blog post on how
that was automated/accomplished?

What are the other big cloud / CDN providers doing to scan for vulns /
compliance at scale if you're privy to it? Have any of them shown interest in
contributing to and/or using Flan Scan?

What does the short-term and long-term roadmap for Flan Scan look like?

Why "Flan Scan"? :)

Thanks a lot.

------
internobody
Having had to deal with heavy duty, expensive, vendor-supplied scans in a
previous life (Qualys, yuck) this seems a very nice breath of fresh air.

~~~
ejcx
This is really our use case. A little bit of packaging around a pretty good
vuln scanner you can set up in 10 minutes

I’ve managed Nessus in a past life and it was a nightmare.

------
microcolonel
That LaTeX report output is hot. It'd be cool if the bar could be raised for
scanners like this, which mostly just try to get services to respond with a
version number.

It is always funny seeing how less than a hundred lines of code can replace
six or seven digits in licensing, negotiation, lawyering, and time.

------
humtum
Cool project. I'd be interested in using the scan data to automate workflows.
Is Cloudflare hooking this into some security automation engine to make the
data actionable?

------
kylek
TLDR; they use nmap + vulners (nmap script). Their wrapper outputs those
low/medium/high-risk cve reports that no one likes to look at

------
trhaynes
Every good vuln scanner needs a custom typeface — excited to hear about Flan
Scan Sans!

------
derpherpsson
The article essentially reads as "we payed lots of monies for a mediocre
scanner, and then we discovered that the FOSS nmap did everything we needed.
So we took nmap and added a little bit of extra, a web interface, and gave it
the name Flan Scanner."

. . .

The corporate world is so facepalm sometimes

~~~
dewey
> added a little bit of extra, a web interface

Sometimes that's the difference between people using it not using it. The
classic rsync and a bunch of scripts vs. Dropbox HN comment.

~~~
DjangoReinhardt
[https://news.ycombinator.com/item?id=9224](https://news.ycombinator.com/item?id=9224)

For people new to HN, this is the comment dewey is referring to, I think.
'dhouston' is Drew Houston, the founder of Dropbox.

