Jim Hendrick:
Nessus is not a snort log scanner, nessus is not antivirus. Nessus
examines remote hosts for open ports and then attempts to determine why
those ports are open.
The current test for bagle, run on a port that is likely to be bagle,
happens to disable the bagle program. Typically nessus does not try to
disable a program, but in this instance the side effect is seen as a
win.
"That's not a bug, that's a FEATURE!" -- Tomb of the Unknown Implementer
I would like to suggest that you submit an alternate method for nessus
to confirm the existance of bagle. I would more strongly suggest that
you are splitting hairs, Mr. Hendrick. The what-ifs that arise when we
consider what a foo-mimicking trojan program can accomplish are threats
that are probably better dealt with when they become real. Please see
additional comments below.
>[...]
> The purpose/method of any scanner is clearly to send signals
> and listen to the responses to these stimuli to gain
> information about what is/is not running, etc.
Wrong kind of scanner.
> To answer your question however, there are very few "normal"
> programs that would send "43ffffff0000000004120" as opposed
> to "GET / HTTP/1.0". By determining that Bagle responds
> specifically to the former by "shutting down" and then
> intentionally sending that when the port is found open is OK
> as a diagnostic tool, since most other things listening to
> the same thing would not shut down. The difference is when
> the intent becomes to try to fix the problem.
>
> The problem I have is that of the worst case situation. If a
> new version of Bagle (or something else) were written to
> trigger damage on receipt of "43ffffff0000000004120", then
> nessus would quickly become a part of the problem. Not
> something I would like to see on the news ("Security scanner
> causes more damage in latest virus outbreak."). It would be
> difficult/impossible to explain to the public that
> "43ffffff0000000004120"
> is not very different from "GET / HTTP/1.0".
When "Nessus" is as popular as "Outlook" such a news report might become
likely ;)
I do not use Nessus to find a virus, but I would damn Nessus if it told
me nothing about a particular open port. I use NMAP to find open ports,
I use Nessus to tell me about what's listening and whether or not there
are problems.
>
> I think this particular point turns (for me anyway) on the
> intent. It is different to send "GET / HTTP/1.0" and
> determine what version of a server is present by the response
> because it is normal stimuli for a legitimate service. No one
> would fault nessus if a virus writer took advantage of this
> and wrote something that listened on TCP 80 and triggered
> it's damage on receipt of a normal GET request.
>
> So there is the perception problem in a worst case scenario.
>
> There is also the fact that anti-virus tools already exist to
> not only stop but fully remove the bug. If nessus is used as
> part of a suite of tools in a security framework, why should
> it try to (intentionally) overlap with other tools? Should it
> start sending alerts as an IDS? Try to tear down connections
> when it see's bad traffic like "active response"? Be designed
> to also be a firewall on a multi-homed box at the perimeter?
>
> I simply think it is a better use of this tool to focus it on
> scanning, just as snort is focused on IDS,
> CheckPoint/iptables/PIX are focused on being firewalls.
>
Nessus scans services for vulnerabilities. It is more than an open-port
scanner. It is more than a service-detection scanner. It sticks its
finger in HTTPD's eye to see if you get root when it winces. It is
indeed part of a toolkit but I am not clear that you understand its
role.
> Consider that you could clearly use snort logs to determine
> that host X is infected with a virus/backdoor. Should part of
> snort be to send "43ffffff0000000004120" when it thinks it
> "hears" Bagle? At least in this case, it could be part of
> flex response. But I still do not think I would enable it as
> long as I had anti-virus tools at my disposal.
If you've anti-virus at your disposal, you don't worry about scanning a
bagle. But if there's some funny port open, you'd want to know if it WAS
bagle, so you could see what was wrong with your antivirus. Why does the
golfer wear two pairs of pants? In case he gets a hole in one. Net
professionals try to put as many pairs of pants on their net security as
can be made to fit. Overlap is surely intentional.
> Obviously, an anti-virus tool could be "tricked" into
> triggering the payload of a virus by a clever virus writer.
> Similarly a determined intruder could create a way to trick
> an active-response IDS into causing damage to the victim. But
> in these cases, the security team (should have) made a
> conscious decision to weigh these risks when using the tools.
> By making nessus do this (especially as part of default
> scanning) it complicates the work of the good guys. They now
"Dangerous" scanning is part of "Default" scanning? I think I need to
reinstall to examine this claim.
> have to understand and weigh for themselves the risks of each
> plugin (yes, in a perfect world, they would be doing this
> anyway). But most administrators will believe that nessus
> will "only" scan and not view it the same as turning on
> snort's flex-response. (for example).
> Obviously there will always be a grey area that blurs the
> edges of what each tool is/does.
>
> I simply think that in this case, the potential for danger is
> greater than the potential gain.
>
> Jim
Your pontificating on what-if scenarios contemplate emasculating Nessus.
The what-ifs are dealt with when they occur, thanks to the hard work of
M. Deraison and all the others I can't name off the top of my head. If
you don't like the scan, don't run it; but until there is a detection
for bagle that does not cause bagle to shut down this is what we have.
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
