Hi Andrew, I cannot agree with you more on the extensibility and openess of Nessus.
However, my customer is using ISS Internet Scanner which we recommended since their security policy does not allow use of open-source tools (yes, such companies do exist). Thanks. soon hin ----- Original Message ----- From: "Yeomans, Andrew" <[EMAIL PROTECTED]> Date: Wed, 15 Jan 2003 10:18:35 -0000 To: "'Neth Six'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: RE: [ISSForum] Reply with a bad sequence to a DNS server was made and accepted > From my experience, using a sniffer is the *only* way you will get the > definitive answer to what ISS Internet Scanner actually does. > > Queries to ISS get rapid acknowledgement, but then go into a black hole: > > 26 June 2002: "As soon as we have additional updates/details to provide to > you, we will be > in touch." (Last message sent by ISS on sequence number predictability, > still waiting!) > > Or don't have many details or certainty: > "While I cannot give you exactly how Internet Scanner performs the check > due to its proprietary nature, I can give you a general idea of how the > check works." > "As far as we can tell, if we find .ASP files on your website, then first > we get the file (for example foo.exe) and store it in a buffer. Then we get > the file's data stream (for example, foo.asp::$DATA), and see if it is > different. If it's not the same as foo.asp, then it's probably the source of > the .asp file, and you're vulnerable. If foo.asp:: $DATA is the same as > foo.asp, then you're not vulnerable." (Reply to why a vulnerability was not > reported by ISS.) > > Personally I use both ISS Internet Scanner and Nessus. To me, the ability to > read the test code in Nessus is very valuable, and you can easily run > individual tests. > > Andrew Yeomans > > -----Original Message----- > From: Neth Six [mailto:[EMAIL PROTECTED]] > Sent: 14 January 2003 02:10 > To: [EMAIL PROTECTED] > Subject: [ISSForum] Reply with a bad sequence to a DNS server was made > and accepted > > > Hi everyone, > > I did an scan on my DNS using Internet Scanner and the following > vulnerability was reported: > > dns-badseq (198) Low Risk > > A reply with a bad sequence to a DNS server has been made > > Description: > An attempt to send a reply to a DNS (Domain Name System) server with a bad > sequence number has been made. DNS servers should not accept out of > sequence replies. > > Platforms Affected: > DNS Any version > > Remedy: > Update your DNS server. > > I believe this vulnerability implies that the DNS server is susceptible to > DNS cache poisoning i.e. make a DNS query to the DNS server and then flood > the DNS server with spoofed replies. Am I right? > > I would like to verify to see if it's a false positive. In order to do that > I need to understand how Internet Scanner checked for this vulnerability > e.g. sent DNS query for www.xxx.com, flood DNS with DNS reply for > www.xxx.com, check reply from DNS server to see if it is the 'poisoned' > entry. > > Please correct me if I'm wrong but I don't think Internet Scanner allows me > to check how it probes for vulnerabilities. If so, can some one enlighten > me how can I verify this? Does anyone know how Internet Scanner check for > this vulnerability? Using a sniffer is one way but it's way too troublesome > for a non-technical person. > > Thanks. > > soon hin > -- > __________________________________________________________ > Sign-up for your own FREE Personalized E-mail at Mail.com > http://www.mail.com/?sr=signup > > Meet Singles > http://corp.mail.com/lavalife > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo > > > ---------------------------------------------------------------------- > If you have received this e-mail in error or wish to read our e-mail > disclaimer statement and monitoring policy, please refer to > http://www.drkw.com/disc/email/ or contact the sender. > ---------------------------------------------------------------------- > -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Meet Singles http://corp.mail.com/lavalife _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
