Am 21.03.2012 14:41, schrieb Noel Butler: > On Wed, 2012-03-21 at 13:55 +0100, Reindl Harald wrote: >> > Firstly, as stated previously, I agree TRACE should be disabled by default > because those that need it are probably > at about 1 in 10000, and I'd like to see a proper vote called on it :) > however... >> >> fact is that nessus-scans usually complaining about TRACE on > > Nessus, despite I do like it, and as it is a respected industry standard, has > its fair share of false positives, > for simple example, look at FTP, running a public FTP server you get a > severity "medium" warning, I mean like.. > WTF... if anything, it should be an "info" , which brings me to their LOW > ratings, they need to introduce an INFO > level, because 95% of "low" are not issues at all.
this is a different story openVAS has a info-level and i guess Nessus too because openVAS is a fork that services are treated as medium is fine because if nessus finds a service and you do not know that it is running -> problem, it is the job of the auditor flag the port as "info, OK" but he will NOT do this if it is a simple config-option disable TRACE and the application does not need it so the defaults has to be sane nothing more to say -> not my problem, i have disabled it
signature.asc
Description: OpenPGP digital signature
