Hi,
Running nessus has alerted me to the fact that it is possible to
enumerate the versions of my servers so I went and added a version
directive to bind to stop this. Now if you try it all you will get it
"[SECURED]" instead of the actual version.
The problem is that the nasl still seems to think it is vulnerable to
this because something is still returned, namely the "[SECURED]" string.
I have verified that it is really fixed by manually crafting the queries
to try to find the version number and watching that the only result
returned is the string above and not the version number.
Is it possible to tell the the nasl script that is the answer is not
numeric or is one of a few pre-defined strings that it should be ignored
as having been secured. This way you could fix your server to report one
of these
pre-defined strings and nessus will know that the version enumeration
has been secured and it will pass the test?
I don't want it to be constantly popping up on reports when I know I
have fixed it already.
Thanks
-h
--
Hari Sekhon
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
