-----BEGIN PGP SIGNED MESSAGE----- OK, I setup a quick test for this nasl:
local Test bed (all on local network, 1 hop, and switched 100) Linux 2.4 kernel (no port 500 UDP) freebsd 4.5 (no port 500 UDP) Solaris 7 (no port 500 UDP) win2k (port 500 UDP open, running a vulnerable altiga vpn client) remote test bed (at least 15 hops away from nessus scanner) cisco vpn concentrator (running port 500 UDP and vulnerable) velociraptor firewall (no port 500 UDP) nokia checkpoint firewall-1 (no port 500 UDP) freebsd 4.5 (no port 500 UDP) win2k (no port 500 UDP) If I run the ike_check.nasl against the 9 machines above, I will consistently get false positives on the freebsd *local* machine only. tcpdump shows that the ICMP messages are being generated by the local bsd machine. The ICMP message from the local bsd machine is returned so fast that I don't think the filter has a chance to snag the packet....(least ways, that's the only explanation I can come up with). If I look at the delta values between the UDP query and the ICMP returns for all my local machines, FreeBSD ICMP error message come back many times faster than the other stacks.... I've been using the ike_check.nasl for several months against remote networks and have never gotten a false positive....I think the issue is restricted to local machines with fast stacks... John Lampe https://f00dikator.hn.org/ "Knowledge will forever govern ignorance, and a people who mean to be their own governors, must arm themselves with the power knowledge gives. A popular government without popular information or the means of acquiring it, is but a prologue to a farce or a tragedy or perhaps both." - --James Madison - ----- Original Message ----- From: "Michael J McCafferty" <[EMAIL PROTECTED]> To: "John Lampe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, April 23, 2002 8:05 AM Subject: Re: Falses on ike_check.nasl > John, > Thanks for your rapid reply ! > What you explain is how I figured you designed it, > however, the hosts that false positives all respond to an nmap > -sU -p 500 <IP address> with the port being closed. This nmap is > run from the nessusd host. > > The namp man page reads as follows: > > -sU UDP scans: This method is used to determine which > UDP (User Datagram Protocol, RFC 768) ports are > open on a host. The technique is to send 0 byte > udp packets to each port on the target machine. If > we receive an ICMP port unreachable message, then > the port is closed. Otherwise we assume it is > open. > > > Some example of the hosts that are are falsing: > Netopia R9100 router > OpenBSD 2.9 with ipf (default is to send back an ICMP unreachable) > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQEVAwUBPMUbb0XUt1lqbd/lAQGKLgf+LVwlN1jXLJHokpCHOMuxAtL0daWDYI9k z4OpZnReWrkJUnnkn8VwD9k0x5ip7cYx9t7S75XWuzMyamtZbKwGXcU2TV7tmu6c Y45LYisrCOPz5npUCRlKjb5EiV15MuOzl8okJrhPa2Wd0dOwhwhEK88Zcl3iiz1T exBqWY++RomSbg5fUw6pc97SDKjX2AOLn6ZvL+rNeLXJyEWcY+zBlW31wYZ5G/nt 6MRmRhfTZGrAoHpmuYWdQ8Jpgx0DFfXKGucKv5Tw08Yj7xYb3thFMEwx/qxt3dJU AYPlGNXgqdUyR5tobgVvXD1fn/DMs6yk3Xd9EOPao8su22sCAtfkLQ== =jQdr -----END PGP SIGNATURE-----
