On Thu, Feb 21, 2002 at 10:16:57AM -0500, Devin Harris wrote: > I have also noticed that the PIX does not tolerate nmap TCP scanning for > long. I have a client with a class C full of about 150 web servers > protected by a PIX and my nmap scan could not even find one. I will > working on this and I can let you know if I figure anything out.
Yes. What I've found is that nessus basically won't scan a thing if the "TCP ping" port isn't reachable. In our DMZ, there is no one port on every host that is "TCP ping"able - some are web servers, some are DNS, etc. If I disable "Do a TCP ping", then it looks like nessus scans the first 20-odd ports and exits. If I manually configure it to point to a known working port and scan just one host, then it's happy... BTW: there is no problem with nessus when it scans the hosts directly, but I am trying to "see" what a hacker sees! According to the FAQ, scanning through a firewall "is an incorrect approach". In our DMZ, the Linux hosts are running ipchains/iptables - so my concern regarding "TCP ping" still applies to them: I still need "prior knowledge" in order to scan them directly! How can I make nessus scan a subnet instead of a host I already know a lot about? I must be doing something wrong - any suggestions? I guess what I need is for nessus to "run blind" - not to care that it appears the host is down - but to keep trying to connect... nessus-1.1.12 under RH 7.1 All plugins enabled Prefs: "connect" TCP scan No TCP/ICMP ping Normal timing Scan Options Port range: 1-8000 Optimize test: off -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417
