* Jan-Oliver Wagner [19. Dec 2012]:
> Hello Developers,
>
> in openvas-libraries/nasl/nasl_builtin_find_service.c:mark_unknown_svc()
> we always issue a log message for an unknown service.
>
> The information is pretty useless. The fact that there is a
> open port is handled already separately and through the KB entries
> set by find_service.
>
> It therefore seems to make pretty much sense to remove the issueing
> of a log message inside mark_unknown_svc(). But leave the KB setting as is.
>
> Anyone a hint or comment why this possibly is not a good idea?
First: The code is quite convoluted in this area, I find it hard to tell
what it tries to do and what it actually does.
The only situation I could think of where this would make sense if we
find an open port, but are able to assert that whatever is running on
this port does not behave like what we expected on this port.
For example: Port 80 is open, but whatever is listening there does not
respond to HTTP.
Treating a non-response as an indicator is quite weak, but from a
security perspective I would find it noteworthy to identify potentially
rogue services hiding behind common ports.
I think this may be what mark_unknown_svc () tries ("An unknown service
is running on this port. It is usually reserved for (protocol XYZ).").
But it appears to me that it less than reliable.
If it would be more reliable, the KB entry could be of some use for a
NVT running later and creating a message only if no other NVT has in the
mean time properly identified the service.
So I am in favor of removing the message, but think the detection of
unknown services on common ports should be kept in mind here.
Regards,
Michael
--
Michael Wiegand | Greenbone Networks GmbH | http://www.greenbone.net/
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-devel
