Hi, On 16.08.2017 11:52, Rémi Liquete wrote: > Here is the OID number : 1.3.6.1.4.1.25623.1.0.10927
this is a NVT from the ACT_FLOOD category. This means it may interrupt services / kill hosts and is not running within the highly recommended "Full and Fast" scan config (you're probably using an "Ultimate" one). If OpenVAS sees the host as up/alive before starting that specific test (there are some internal functions which are determining this, i guess they include more then ICMP for this) and then the host/firewall doesn't respond anymore after the test you will get this seen result / vulnerability. Besides that you really shouldn't use any of the "Ultimate" scan configs if you can't live with getting false positives or killed hosts. > Regards, > Rémi Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner > 2017-08-16 11:28 GMT+02:00 Thijs Stuurman > <[email protected] > <mailto:[email protected]>>: > > Remi,____ > > __ __ > > What is the vulnerability OID number?____ > > (This should be mentioned in the details of the vulnerability, at > the bottem under the Log Method section)____ > > __ __ > > Thijs Stuurman____ > > Security Operations Center | KPN Internedservices____ > > [email protected] > <mailto:[email protected]> | [email protected] > <mailto:[email protected]>____ > > T: +31(0)299476185 <tel:+31%20299%20476%20185> | M: +31(0)624366778 > <tel:+31%206%2024366778>____ > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)____ > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048____ > > __ __ > > W: https://www.internedservices.nl > <https://www.internedservices.nl/>| L: > http://nl.linkedin.com/in/thijsstuurman > <http://nl.linkedin.com/in/thijsstuurman>____ > > __ __ > > *Van:*Rémi Liquete [mailto:[email protected] > <mailto:[email protected]>] > *Verzonden:* woensdag 16 augustus 2017 11:04 > *Aan:* Thijs Stuurman <[email protected] > <mailto:[email protected]>> > *CC:* [email protected] > <mailto:[email protected]> > *Onderwerp:* Re: [Openvas-discuss] Vulnerability found on blocked > port____ > > __ __ > > Thank you for your answer.____ > > Sorry for not being as clear as I wanted to.____ > > I performed a scan on a server. This server is behind a firewall > that blocks all port except 3 I am scanning, and blocks ICMP > protocol.____ > > At the end of the scan, I've checked the report and in this report, > there is a vulnerability on ping flood in location "general/icmp".____ > > As my firewall is supposed to block this protocol, how can OpenVAS > find any vulnerability with this protocol ?____ > > I hope I'm clear enough this time !____ > > __ __ > > 2017-08-16 10:53 GMT+02:00 Thijs Stuurman > <[email protected] > <mailto:[email protected]>>:____ > > Rémi,____ > > ____ > > Your question is not very clear to me but I will try to answer.____ > > First of all, which found vulnerability on the ICMP protocol? > Detail your questions please.____ > > ____ > > Second, you cannot bypass the firewall … it’s a firewall, there > doing what it is supposed to.____ > > So either you find nothing, because of the firewall, and confirm > your firewalling is OK.____ > > Or you whitelist your scanner in the firewall and test the > system regardless.____ > > ____ > > ____ > > Thijs Stuurman____ > > Security Operations Center | KPN Internedservices____ > > [email protected] > <mailto:[email protected]> | > [email protected] <mailto:[email protected]>____ > > T: +31(0)299476185 <tel:+31%20299%20476%20185> | M: > +31(0)624366778 <tel:+31%206%2024366778>____ > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)____ > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048____ > > ____ > > W: https://www.internedservices.nl > <https://www.internedservices.nl/>| L: > http://nl.linkedin.com/in/thijsstuurman > <http://nl.linkedin.com/in/thijsstuurman>____ > > ____ > > *Van:*Openvas-discuss > [mailto:[email protected] > <mailto:[email protected]>] *Namens > *Rémi Liquete > *Verzonden:* woensdag 16 augustus 2017 10:46 > *Aan:* [email protected] > <mailto:[email protected]> > *Onderwerp:* [Openvas-discuss] Vulnerability found on blocked > port____ > > ____ > > Hello,____ > > I've perform a scan on 3 TCP ports (lists en ports lists).____ > > The firewall blocks aswell the ICMP protocol.____ > > The question is : Is that normal that OpenVAS found a > vulnerability on the ICMP protocol ?____ > > If this is normal, how can the scan bypass the firewall ?____ > > Regards,____ > > Rémi.____ > > __ __ > > > > > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
