Hello, We've found some traces in our logs showing some kind of scanning activity that looks like coming from Nessus. But as it does not match much with the log traces that our own scannings generate, we'd like to know if the following is a feasible log pattern for a nessus scan (these relate to Windows logs), and if possible the particulars of it (version, plugins used...):
Many anonymous network sessions are initiated, all with a 576 event, no username, no domain and no workstation. These do not begin with a login event (528, 540) but directly with a privilege asignation event (576). In the following, each line is a events related by the same user session ID. - One network login failure for user "administrator" - Followed by one network login failure for a user named "nessusN(X)" where "N(X)" means X random-like decimal digits where X has been 26 one time and 29 some others. - 8 anonymous sessions (no username, no domain, no workstation) immediately closed. - Another anoymous session that looks up IDs and reads password parameters on the local machine's SAM - One anonymous session immediately closed - Anonymous session that reads the members of local group 00000227 - 4 more anonymous sessions that close immediately - Anonymous enumeration of services in the system - 1 immediately closed anonymous session - Anonymous read of members of local group 00000220 - Login failure for user "xN(9)", no domain and no workstation - Login failure for user "x", no domain and no workstation - Login failure for user "eN(9)", no domain and no workstation - Login failure for user "e", no domain and no workstation - 5 anonymous sessions immediately closed - Anonymous lookup of IDs followed by read of data for user 000001F4 (administrator) - Anonymous lookup of user 000001F5 (Guest) - Anoymous read of members in group 000003E8 - Anoymous read of data for user 000003EA - Anoymous read of data for user 000003EE - 2 Anonymous lookup of IDs followed by read of data for user 000003ED, followed by 42 lookups of IDs - Anonymous read of data for users 000001F5 (Guest), 000003E8 and 000003EA, followed by one ID lookup and another read of data for user 000003ED and 000003EE. - One anonymous session immediately closed - 3 ID lookups followed by read of data for user 000003ED followed by 42 ID lookups - Read of data for user 000001F5 (Guest) again, followed by one ID lookup - 6 anonymous sessions immediately closed Our own nessus scannings appart from performing different actions, show other significant diferences: - The user nessusN(X) in our scans has much fewer digits appended (15) - Our scans test users with common names and both in the domain of the target and in "WORKGROUP" but not in an empty domain, or names like "x" or "e". Also, the only user that gets digits appended is "nessus". - They initiate anonymous network sessions with 540 events. - They include in the session opening event the workstation IP. - There are not so many anonymous sessions initiated and closed immediately without further actions logged. Timings and the fact that the exact same pattern appears in several systems lead us to think in some automated tool, and possibly nessus as it's one of the user names tested, but those differences leave us in doubt. Thanks in advance. Mara "Luna" -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
