Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
Target profiles
deraison at cvs
Oct 10, 2001, 5:15 PM
Post #1 of 3 (664 views)
Permalink
Hi,

A while ago, Georges Dagousset (I think ;) suggested to develop "target
profiles", that is, a description for what a web server, smtp server or
whatever may be.

This would allow the user to specify that the remote server is
a web server, nfs server, or whatever. Then, Nessus would produce
different warnings depending of the policy.

For instance, if a server designated as a "DNS Server", then Nessus
would produce a security hole alert on every port which is not 53
tcp/udp and which is not tolerated (port 22 may be considered as being
tolerated for instance).

I came up with an embryonic specification file format, in which only the
required, suggested and tolerated ports are open. See below for an SMTP
server spec. It's written in NASL, however any file format may do
(but as the nasl interpretor is built-in already, well, it may be worth
using it).

I'd like to know your opinion about it, and how you would see things
from the point of view of the user (how you would like to set this up).

Shall I implement it ? Drop it ? Go to sleep ?

Here is a sample SMTP spec. How would you extend it ?
#
# This spec file determines what an SMTP server is.
#
# An SMTP server *must* have port 25 open,
# it *should* have port 465 open (SMTP over SSL)
# and it *may* have a pop or imap port open, as well as
# having port 22 open, for remote administration.



spec_name = "SMTP Server";


# Necessary ports_tcp (an alert is produced if the
necessary_ports_tcp[0] = "25"; # SMTP (duh)


# We recommand port 465 (SMTP over SSL) to be open
recommended_ports_tcp[0] = "465"; # SSMTP



# We tolerate the remote server to be a POP/Imap server,
# and to be administrated by SSH

tolerated_ports_tcp[0] = "22"; # SSH

tolerated_ports_tcp[1] = "110"; # POP
tolerated_ports_tcp[2] = "995"; # SPOP
tolerated_ports_tcp[3] = "109"; # POP2
tolerated_ports_tcp[4] = "143"; # IMAP
tolerated_ports_tcp[5] = "220"; # IMAP
tolerated_ports_tcp[6] = "993"; # SIMAP
tolerated_ports_tcp[7] = "1109";# KPOP
tolerated_ports_tcp[8] = "106"; # Eudora






-- Renaud
Re: Target profiles [ In reply to ]
raxor at dexlink
Oct 10, 2001, 5:52 PM
Post #2 of 3 (652 views)
Permalink
Looks interesting.

Pros: Port scans can be limited to only the recommended and tolerated
ports when scanning clearly defined designated servers.

Cons: A security hole arising for every port that is neither recommended
or tolerated will bring up too many holes and make the host appear highly
vulnerable.

If this is used only on servers that are designated properly, it will be
of little benefit.

When used on a server that is not clearly designated, it will turn up too
many security holes.


I personally don't see much benefit of this feature. But this is just my
opinion.


pub 1024D/4D4E605E 2001-10-05 Jim Kovalchuk <raxor@dexlink.com>
Fingerprint: 6DF1 31C6 05E9 FCA6 02AB 386D 5640 EF8C 4D4E 605E

On Thu, 11 Oct 2001, Renaud Deraison wrote:

>
> Hi,
>
> A while ago, Georges Dagousset (I think ;) suggested to develop "target
> profiles", that is, a description for what a web server, smtp server or
> whatever may be.
>
> This would allow the user to specify that the remote server is
> a web server, nfs server, or whatever. Then, Nessus would produce
> different warnings depending of the policy.
>
> For instance, if a server designated as a "DNS Server", then Nessus
> would produce a security hole alert on every port which is not 53
> tcp/udp and which is not tolerated (port 22 may be considered as being
> tolerated for instance).
>
> I came up with an embryonic specification file format, in which only the
> required, suggested and tolerated ports are open. See below for an SMTP
> server spec. It's written in NASL, however any file format may do
> (but as the nasl interpretor is built-in already, well, it may be worth
> using it).
>
> I'd like to know your opinion about it, and how you would see things
> from the point of view of the user (how you would like to set this up).
>
> Shall I implement it ? Drop it ? Go to sleep ?
>
> Here is a sample SMTP spec. How would you extend it ?
> #
> # This spec file determines what an SMTP server is.
> #
> # An SMTP server *must* have port 25 open,
> # it *should* have port 465 open (SMTP over SSL)
> # and it *may* have a pop or imap port open, as well as
> # having port 22 open, for remote administration.
>
>
>
> spec_name = "SMTP Server";
>
>
> # Necessary ports_tcp (an alert is produced if the
> necessary_ports_tcp[0] = "25"; # SMTP (duh)
>
>
> # We recommand port 465 (SMTP over SSL) to be open
> recommended_ports_tcp[0] = "465"; # SSMTP
>
>
>
> # We tolerate the remote server to be a POP/Imap server,
> # and to be administrated by SSH
>
> tolerated_ports_tcp[0] = "22"; # SSH
>
> tolerated_ports_tcp[1] = "110"; # POP
> tolerated_ports_tcp[2] = "995"; # SPOP
> tolerated_ports_tcp[3] = "109"; # POP2
> tolerated_ports_tcp[4] = "143"; # IMAP
> tolerated_ports_tcp[5] = "220"; # IMAP
> tolerated_ports_tcp[6] = "993"; # SIMAP
> tolerated_ports_tcp[7] = "1109";# KPOP
> tolerated_ports_tcp[8] = "106"; # Eudora
>
>
>
>
>
>
> -- Renaud
>
Re: Target profiles [ In reply to ]
bmc at mitre
Oct 10, 2001, 6:07 PM
Post #3 of 3 (648 views)
Permalink
Renaud Deraison wrote:
> I'd like to know your opinion about it, and how you would see things
> from the point of view of the user (how you would like to set this up).
>
> Shall I implement it ? Drop it ? Go to sleep ?

I like it. Very much.

RFF: tolerated_ports_tcp(143,110,995,109,993); # various mail server
ports

--
Brian Caswell
The MITRE Corporation

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal