On March 14, 2007, "George A. Theall" wrote: > On 03/14/07 19:37, Dan Harkless wrote: > > I talked to John in private email and he says that he confirmed that > > 'Thorough tests' was causing his Citrix service DoS. He also says the > > problem didn't start occurring until they applied some recent (at the time) > > Citrix patches. > > Someone's reported this to Citrix, right?
I'm not sure. I haven't experienced the problem, so I wouldn't be able to report it very effectively. I'll CC John on this mail in case he's not still a subscriber and we can see what he says. > > However, I also heard from a member of a different security group at my > > company who saw my post, and he says that they use 'Thorough tests' against > > Citrix servers without issue. That plus the fact that the IMA service > > (which was getting stopped in John's caes) isn't exposed on the servers I'm > > scanning (just the ICA service, 1494/tcp) indicates to me that it should be > > safe to turn on 'Thorough tests'. > > As you note, the port range is indeed a consideration when enabling > thorough tests. Many of the service detection plugins by default probe > only the well-known port(s) associated with that service. Enabling > thorough tests will cause those plugins to probe any open port which is > still marked as an unknown service. So if you know that the only service > that doesn't handle invalid input well is the the ICA service on port > 1494 (because, say, of testing in a lab), you should be able to enable > thorough tests and stay clear of trouble as long as you omit 1494 from > the port range. Actually it's the IMA service that apparently has the problem, with ICA / 1494 being okay. Thanks for the tip on excluding problem ports. -- Dan Harkless http://harkless.org/dan/ _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
