Hello Christian, Thank you for your complete answer. Yes, I was using the scan config "Full and Fast Ultimate" and I now better understand why this vuln appeared.
I thought the "Ultimate" one was good to use because it scans more vulns. But I do not want OpenVAS to interrupt some services, so I'm going to use the recommended. I really thank you for your answer. Regards, Rémi. 2017-08-16 17:48 GMT+02:00 Christian Fischer < [email protected]>: > Hi, > > On 16.08.2017 11:52, Rémi Liquete wrote: > > Here is the OID number : 1.3.6.1.4.1.25623.1.0.10927 > > this is a NVT from the ACT_FLOOD category. This means it may interrupt > services / kill hosts and is not running within the highly recommended > "Full and Fast" scan config (you're probably using an "Ultimate" one). > > If OpenVAS sees the host as up/alive before starting that specific test > (there are some internal functions which are determining this, i guess > they include more then ICMP for this) and then the host/firewall doesn't > respond anymore after the test you will get this seen result / > vulnerability. > > Besides that you really shouldn't use any of the "Ultimate" scan configs > if you can't live with getting false positives or killed hosts. > > > Regards, > > Rémi > > Regards, > > -- > > Christian Fischer | PGP Key: 0x54F3CE5B76C597AD > Greenbone Networks GmbH | http://greenbone.net > Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 > Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner > > > 2017-08-16 11:28 GMT+02:00 Thijs Stuurman > > <[email protected] > > <mailto:[email protected]>>: > > > > Remi,____ > > > > __ __ > > > > What is the vulnerability OID number?____ > > > > (This should be mentioned in the details of the vulnerability, at > > the bottem under the Log Method section)____ > > > > __ __ > > > > Thijs Stuurman____ > > > > Security Operations Center | KPN Internedservices____ > > > > [email protected] > > <mailto:[email protected]> | [email protected] > > <mailto:[email protected]>____ > > > > T: +31(0)299476185 <tel:+31%20299%20476%20185> | M: +31(0)624366778 > > <tel:+31%206%2024366778>____ > > > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)____ > > > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048____ > > > > __ __ > > > > W: https://www.internedservices.nl > > <https://www.internedservices.nl/>| L: > > http://nl.linkedin.com/in/thijsstuurman > > <http://nl.linkedin.com/in/thijsstuurman>____ > > > > __ __ > > > > *Van:*Rémi Liquete [mailto:[email protected] > > <mailto:[email protected]>] > > *Verzonden:* woensdag 16 augustus 2017 11:04 > > *Aan:* Thijs Stuurman <[email protected] > > <mailto:[email protected]>> > > *CC:* [email protected] > > <mailto:[email protected]> > > *Onderwerp:* Re: [Openvas-discuss] Vulnerability found on blocked > > port____ > > > > __ __ > > > > Thank you for your answer.____ > > > > Sorry for not being as clear as I wanted to.____ > > > > I performed a scan on a server. This server is behind a firewall > > that blocks all port except 3 I am scanning, and blocks ICMP > > protocol.____ > > > > At the end of the scan, I've checked the report and in this report, > > there is a vulnerability on ping flood in location > "general/icmp".____ > > > > As my firewall is supposed to block this protocol, how can OpenVAS > > find any vulnerability with this protocol ?____ > > > > I hope I'm clear enough this time !____ > > > > __ __ > > > > 2017-08-16 10:53 GMT+02:00 Thijs Stuurman > > <[email protected] > > <mailto:[email protected]>>:____ > > > > Rémi,____ > > > > ____ > > > > Your question is not very clear to me but I will try to > answer.____ > > > > First of all, which found vulnerability on the ICMP protocol? > > Detail your questions please.____ > > > > ____ > > > > Second, you cannot bypass the firewall … it’s a firewall, there > > doing what it is supposed to.____ > > > > So either you find nothing, because of the firewall, and confirm > > your firewalling is OK.____ > > > > Or you whitelist your scanner in the firewall and test the > > system regardless.____ > > > > ____ > > > > ____ > > > > Thijs Stuurman____ > > > > Security Operations Center | KPN Internedservices____ > > > > [email protected] > > <mailto:[email protected]> | > > [email protected] <mailto:[email protected]>____ > > > > T: +31(0)299476185 <tel:+31%20299%20476%20185> | M: > > +31(0)624366778 <tel:+31%206%2024366778>____ > > > > PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)____ > > > > Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD > C048____ > > > > ____ > > > > W: https://www.internedservices.nl > > <https://www.internedservices.nl/>| L: > > http://nl.linkedin.com/in/thijsstuurman > > <http://nl.linkedin.com/in/thijsstuurman>____ > > > > ____ > > > > *Van:*Openvas-discuss > > [mailto:[email protected] > > <mailto:[email protected]>] *Namens > > *Rémi Liquete > > *Verzonden:* woensdag 16 augustus 2017 10:46 > > *Aan:* [email protected] > > <mailto:[email protected]> > > *Onderwerp:* [Openvas-discuss] Vulnerability found on blocked > > port____ > > > > ____ > > > > Hello,____ > > > > I've perform a scan on 3 TCP ports (lists en ports lists).____ > > > > The firewall blocks aswell the ICMP protocol.____ > > > > The question is : Is that normal that OpenVAS found a > > vulnerability on the ICMP protocol ?____ > > > > If this is normal, how can the scan bypass the firewall ?____ > > > > Regards,____ > > > > Rémi.____ > > > > __ __ > > > > > > > > > > _______________________________________________ > > Openvas-discuss mailing list > > [email protected] > > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/ > openvas-discuss > > > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
