I think the desired behavior depends on who is doing the scan, why the scan is being done and what is being scanned. Unless I'm misunderstanding the paranoid setting I agree with Renaud's assessment and in any case I prefer the current behavior. This preference is based on the who, why and what I mentioned above.
My use of nessus is as part of a continuous vulnerability assessment at a university. We are constantly scanning the network for vulnerable systems. At any given time there are over 8,000 systems on the network and we do not want to process false positives -- they waste too much time. If we had to ignore that open ssh plugin due to too many false positives then we lose out on the true positives it would give. That's my $0.02 Tim Doty -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard van den Berg Sent: Thursday, October 11, 2007 11:06 AM To: [email protected] Subject: Replacements too eager in backport.inc Sorry Renaud for posting this here as well, but I'd like other people to comment on this as well. Today I found out why Nessus is so sparse with reporting OpenSSH issues. It is because backport.inc has entries like this: backported_versions[i++] = "OpenSSH_3.1p1"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.4p1"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.5p1"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.6.1p2"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.7.1p2"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.8p1"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.9p1"; real_versions[j++] = "OpenSSH_3.9.99"; This effectively maps almost all openssh 3.x version strings to 3.9.99 unless you set report_paranoia to 2 (=Paranoid). There are similar entries in backport.inc for Apache. My argument is that backport.inc was meant to map vendor (Debian/SuSE/Red Hat) version strings to real product version strings. So when you see "SSH-2.0-OpenSSH_4.3p2 Debian-9" you know that this is Debian openssl-client package 4.3p2-9 which is really openssh 4.4p1. However, with the above examples, there is no indication whatsoever that these versions are patched or even belong to a vendor that supplies a patch. Renaud's answer is that changing backport.inc would create too many false positives, and that you can always set report_paranoia=2 if you don't like it. My reply is that now you get a lot of false negatives which is a lot worse (and not what the report_paranoia was designed for). What do you think? Please read the full report and Renaud's answers before answering: http://bugs.nessus.org/show_bug.cgi?id=1643 Sincerely, Richard van den Berg _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
