On May 21, 2008, at 12:18 PM, John Chajecki wrote:
> We have been writing a custom a plugin to test for the presence of
> McAfee EPO Agent on workstations and we have had success in
> accomplishing this but we had several problems along the way for
> which we would like to request answers. We are using Nessus server
> and client 3.2.0:
>
> 1. Why do the get_port_state, get_tcp_port_state and
> get_udp_port_state functions always return a value of 1 (i.e. true)?
Because you did not launch a port scanner. get_port_state() does not
send any packet to the remote host, it simply looks into the local
cache to determine wether a given port is known to be open or not. In
doubt, it will return TRUE and it's up to your plugin to handle a
connection being closed.
> 2. Since the UPD protocol is stateless or connection less, the above
> function always returns true and the open_sock_udp function aqlso
> always succeeds, how do you determine whether a UDP port is open on
> a remote host? How do you listen to a response on that port?
UDP being connection-less, you'd send a properly crafted UDP packet
and wait for an answer by using recv() (just like with a TCP socket).
If you are talking about a generic UDP port scanner, there is no clean
way to determine wether a port is open or not -- in some cases,
sending a UDP packet to a closed UDP port will return an ICMP
unreachable error in return, but on systems where ICMP rate limiting
is in effect, or systems behind firewalls which block ICMP unreach
messages, the only way to determine if a UDP port is open is to talk
to the service behind it.
>
>
> 3. When you drop a custom plugin into the plugin directory (/opt/
> nessus/lib/nessus/plugins) and restart Nessus, the plugin does not
> immediately appear in the plugin list. We checked and double checked
> all of the fields on the description and they appear to be correct
> but just in case, here is our description section:
[...]
> What seems to happen is that the plugin does eventually appear in
> the list some 30min to an hour later.
> Is there any way to force a re-sync of the plugin database so that
> it will appear immediately or reasonably quickly?
This is very surprising. Are you talking about modifying an existing
plugin or adding a new file in the plugins/ directory.
If you modify an existing file, then launch nessusd with the -t option
(nessusd -D -t) to force it to check the timestamps.
> 4. Is there a way of selecting all plugins for a specific platform
> e.g. Solaris, Windows. Cisco etc? We couldn't find any and this
> seems a major omission in our opinion.
No because some (many) vulnerabilities are cross platform. You can
select a given family (Solaris local checks for instance), but it's
recommended that you perform a full scan against each tested system
and let nessusd itself determine which plugins to launch/not to launch.
> 5. On the plugin selection tab in the Nessus Client, why does the
> find function never return any results?
I can't reproduce this here. Which version are you running, on which
platform ?
> Also, why does the 'Show All' button cause all plugins AND all port
> scanners on the option page AND other options on other tabs to
> become de-selected?
This is a known limitation of the 'Find' function. It will only leave
enabled the plugins which matched your query.
-- Renaud
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
