I have come up with what I consider a reasonable work around for this. It includes post processing the nmap results before feeding them to nessus. I have a list of UDP ports that I check. I always include one port that I don't think should ever be alive (I use 1/udp tcpmux). After nmap runs, I have a perl script that removes all udp results for hosts that have 1/udp listed as open.
It's kind of a kludge, but it works for me. Dion > -----Original Message----- > From: Steve Halligan [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 13, 2002 11:05 AM > To: 'Michel Arboi'; [EMAIL PROTECTED] > Subject: RE: more info on nessus problems.. > > > It is my fault I am afraid. > I sent Renaud a bug report awhile back to fix a problem with > Nessusd locking > up when Nmap returns all 15000 (or how ever many you scan) > when all are > closed. You can replicate this by scanning an IP with nothing on it. > Well Renaud fixed the bug and Nessusd no longer locks up. > However it does > list all 15000 upd ports as being open. > > You are correct in guessing that it is an Nmap problem. Nmap > will report > all udp ports open if none of them are. If even one port is > really open, > this doesn't happen. > > I talked to Fyodor at CanSecWest about this and he said he > would try to see > what he could do about it. Until then it might be wise to > use Nmap alone to > check for this problem and disable UDP scanning for hosts > that have no UDP > ports open. > > -Steve > > PS. Fyodor asked me to remind him in a bit if a fix for this > didn't show up > in the next version. I think he reads this list, and if so, here is a > reminder :) > > > > >GVB <[EMAIL PROTECTED]> writes: > > > >> I am running nmap to scan 65535 ports, both UDP and TCP, and for > >> some reason when I run nmap, it comes back and says that ALL 65535 > >> UDP ports are open. > > > >I suppose that the problem comes from nmap. That's odd. Anyway if all > >your UDP ports are filtered you do not need to scan them. > >Just disable the UDP scan option. > > > >> When I run nmap outside of nessus, it doesn't report all the UDP > >> ports as being open. > > > >Do you run it with the same options? > >Note that when you run a long nmap scan, it is a good idea to save it > >to a file (copy&paste or nmap -oN) and import it into Nessus. > > > >> Problem with the way nessus is importing the data from nmap? > > > >I've never seen this. > > > >-- > >mailto:[EMAIL PROTECTED] > >GPG Public keys: http://michel.arboi.free.fr/pubkey.txt > >http://michel.arboi.free.fr/ http://arboi.da.ru/ > >FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/ > > >
