John,
Thanks for your rapid reply !
What you explain is how I figured you designed it, however, the
hosts that false positives all respond to an nmap -sU -p 500 <IP address>
with the port being closed. This nmap is run from the nessusd host.
The namp man page reads as follows:
-sU UDP scans: This method is used to determine which
UDP (User Datagram Protocol, RFC 768) ports are
open on a host. The technique is to send 0 byte
udp packets to each port on the target machine. If
we receive an ICMP port unreachable message, then
the port is closed. Otherwise we assume it is
open.
Some example of the hosts that are are falsing:
Netopia R9100 router
OpenBSD 2.9 with ipf (default is to send back an ICMP unreachable)
The nessusd host is:
Nessus 1.0.9
RedHat 7.1 w/ Kernel 2.4.2-2
nmap-2.54BETA7-3
Mike
At 06:50 PM 4/22/2002 +0100, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>disregard my last post...I'm not thinking right :-<
>
>either the host/network generates ICMP errors or not. so one of the
>following is true:
>1) if the host/network generates ICMP errors AND port 500 is closed,
>the script will exit before spitting any packets out
>2) if the host/network generates ICMP errors AND port 500 is open,
>the script will run, then check to see if the port has closed
>3) if the host/network does not generate ICMP erros AND port 500 is
>closed, the script will still run but will fail to reach the
>security_hole() function.
>4) if the host/network does not generate ICMP errors AND port 500 is
>open, the script will run but will fail to reach the security_hole()
>function
>
>I hate that option 3 wastes bandwidth, and option 4 is a potential
>false negative...however, UDP sucks and there is no other way (that I
>can think of).
>
>John Lampe
>https://f00dikator.hn.org/
>
>"Knowledge will forever govern ignorance, and a people who mean to be
>their own governors, must arm themselves with the power knowledge
>gives. A popular government without popular information or the means
>of acquiring it, is but a prologue to a farce or a tragedy or perhaps
>both."
>- --James Madison
>
>- ----- Original Message -----
>From: "Michael J McCafferty" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Monday, April 22, 2002 11:51 PM
>Subject: Falses on ike_check.nasl
>
>
> >
> > I have had the ike_check.nasl plugin false positive on
> > most, if not all scans I have run. The plugin seems to run no
> > matter if port 500/udp is open or not. I am not real good at
> > reading the nasl plugins yet, but...
> > I see where the plugin runs on port 500, but I don't see
> > where the plugin requires that 500/udp be open to run the test in
> > the first place. Then, it appears that if the plugin doesn't get
> > an ICMP Unreachable after running the attempted DOS, then it
> > thinks the DOS was successful and appears in the report.
> > So, if the plugin runs against a system that does not have
> > port 500/udp open, then it tests anyway. When the host still
> > doesn't repsond, then the plugin false-positives.
> >
> > Do I have this correct ? Anyone care to comment ? One
> > thing is for sure though, I am getting a lot of false positives.
> >
> > Mike
> >
> >
> >
> >
> > **************************************************
> > Michael J. McCafferty
> > M5 Computer Security
> > 858-576-7325 Voice
> > PGP Key ID: 0x2206347F
> > http://www.m5computersecurity.com
> > **************************************************
> > --- "If you build it, they will hack !" ---
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
>iQEVAwUBPMRNRUXUt1lqbd/lAQGd+wf/TT9tR0U02C2cRjBbgGQIz8bsYHcF5Bh6
>1C9cUSWclnrKBRr2BcBspthFMkwaTMimlC0WzXSj+hll7WMhqzFoXTjJAdF0BTDq
>zmTSvs8z+HQP0GREs+7a+QyRBOyEe4N1ILL4dvo05Vqc+mAe4Qjf6M3X9TBI9GKr
>VQHywwgzyMZv9JfgTBMYgGCjW0FpS9OEefcAeiAanz6uOztPRsObKpz6cFXPuf6z
>AqtQsyWl/76elglC+4upN0VqTDV8TSm8fGij9a09B1ehYPsxZSl+DlzLIfcTqFDn
>0WC99avxWOIr9Sj2efTYk7jTUm6XVbwrDB27lw3dnBe4P6K2Lnk25Q==
>=FXbR
>-----END PGP SIGNATURE-----
**************************************************
Michael J. McCafferty
M5 Computer Security
858-576-7325 Voice
PGP Key ID: 0x2206347F
http://www.m5computersecurity.com
**************************************************
--- "If you build it, they will hack !" ---
