IDS Systems will trip Nessus up in this way, too.
When the scan is launched, NMAP will hit the box... the IDS on a firewall (like a VelociRaptor's IDS) will freak out and temp-ban your IP, then Nessus will start reporting false-positives like crazy as the ports are now closed or tarpitted.
Using more-polite nmap scanning and slowing down the plugins may help get around this...
I don't believe this is the case since if your IP was blackholed the code will not output any false positive in this case. Check out the code:
(...)
soc = open_sock_tcp(port);
if(soc)
{... if(!b)security_hole(port); ftp_close(socket: soc); }
So, the only reason plugin #10009 should send a warning is if it could open the port (so, no black hole) _and_ the FTP server closed the connection when sending the CEL+2048 bytes of crap.
I would suggest Matthew to test this same thing without Nessus, from the command line. Just telnet to port 21 and send CEL+2048. This should do it:
perl 'print "CEL"; print "CEL"."a"x2048; print "\n";' | nc MYFTPSERVER 21
In my FTP server (oftpd):
$ perl -e 'print "CEL"; print "a"x2048; print "\n";' |nc localhost 21 220 Service ready for new user. 500 Command line too long.
But the connection keeps open (it is not closed by the FTP server).
Regards
Javi
