Thanks for your help Renaud I think I now understand.. ;-) I was looking at just running the nasl script and feeding in IP's from another source i.e. fping (or the server IP list). But have realised the error in doing that.. :-) Now I have it successfully reporting from nessusd and can leave it to others to progress matters further. A few hours away from the computer and and a few beers makes everything much clearer.. lol
I concur with your belief that the second patch should be the only one applied. However where I work they still argue money, downtime and whether the first patch is good enough. I describe it sometimes as a wonderful barn door with gold locks and everyone thinks it is beautiful. Those of us who see the holes in the roof and walls are told to be quiet. How many times will the open the barn door to find the horse has already bolted? Once again thanks for the clarification on the dcom nasl script usage. Steve On Sat, 2003-09-13 at 02:34, Renaud Deraison wrote: > On Fri, Sep 12, 2003 at 05:26:58PM -0400, Steve Ellis wrote: > > I ran the msrpc_dcom and it came back with success.. I assume that means > > it that the first patch in installed. Can someone confirm my assumption. > > "Success" means that the plugin is successful - ie: it considers the > patch as NOT being installed. However, as I repeatedly said, in > command-line this will produce a false positive. When launched from > within nessusd, this plugin "cooperates" with msrprc_dcom2.nasl to avoid > such false positive. > > > Then msrpc_dcom2 but this came back with a socket error??? I think it > > should fail or succeed? > > It means that it considers that the patch is applied and attempts to > write this fact to the knowledge base. As you are launching the plugin > in command-line, something you should not really do as I said multiple > times before, writing to the KB fails and you get that "socket error". > > > Once again, to make things clear, if you want to run both msrpc_dcom.nasl > and msrpc_dcom2.nasl, do that from within nessusd, NOT from the 'nasl' tool, > or else you will get false positives. > > Also, you should not use msrpc_dcom.nasl at all anyway - you need to > patch your servers. You don't care if an interim patch has been put on > it or not, since MS03-039 is a CUMULATIVE patch. So only run > msrpc_dcom2.nasl. > > > > > -- Renaud >
