On Thu Nov 17 2005 at 07:27, [EMAIL PROTECTED] wrote: > Does it mean that the process is actually killed by > some other plugin and not this one ? > Under what circumstances can this hole be a false positive ?
I got a strange behaviour once. An agent opened two TCP ports. One of them was a web server, the other one something that Nessus did not know. miscflood attacked the unknown service and crashed the agent. So I got an alert on the web port. I tried to reproduce this (unpublished) attack against this web server and could not; I wondered what happened until I noticed that there was _also_ an alert on the unknown service, from check_ports.nasl. "This port was detected as being open by a port scanner but is now closed. This service might have been crashed by a port scanner or by a plugin" For whatever reason, miscflood did not see that it crashed the service. I don't remember the details, maybe there was a delay... In short, also the DoS attack are run one at a time, the messages may be "mixed" under some weird circumstances. The only way to avoid this would be to slow down those generic attacks, and they are already not quick :-/ Anyway, if I were you, I'd investigate further: you obviously have something fragile here. It might even be an exploitable buffer... _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
