Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
Elemination of "unknown" services
arboi at noos
Aug 23, 2002, 3:37 AM
Post #1 of 2 (349 views)
Permalink
A couple of plugins read "Services/unknown". This list includes
everything that was not identified by find_service.
The plugins then process every port found, which could be long.

So there should be a way for a plugin to remove a service it just
identified from this list.
1. We might implement a hack to extract values from Services/Unknown and
add some "service_is_known" or "remove_kb_item" function; however this
would necessitate an upgrade of Nessus to be able to run the new
scripts.
2. Another way could be to add a KB item for every known service,
e.g. something like
"Identitified/tcp/119" = "Proto=NNTP;Server=INN"

This would not prevent get_kb_item("Services/unknown") from returning
the whole list, but it could be processed more quickly.

Hack #2 has another advantage: it could improve cooperation between
plugins.
For example, some services open a port where they speak a complex or unknown
protocol, a web interface. We can easily identify the www server; this
would allow us to suggest that the other port is running the
[whatever] service.

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/
Re: Elemination of "unknown" services [ In reply to ]
deraison at nessus
Aug 23, 2002, 8:08 AM
Post #2 of 2 (336 views)
Permalink
On Fri, Aug 23, 2002 at 12:37:34PM +0200, Michel Arboi wrote:
> A couple of plugins read "Services/unknown". This list includes
> everything that was not identified by find_service.
> The plugins then process every port found, which could be long.
>
> So there should be a way for a plugin to remove a service it just
> identified from this list.
> 1. We might implement a hack to extract values from Services/Unknown and
> add some "service_is_known" or "remove_kb_item" function; however this
> would necessitate an upgrade of Nessus to be able to run the new
> scripts.

For various reasons, I'd prefer the KB to be "write-only". However, the
"service_is_known" trick sounds good.

> 2. Another way could be to add a KB item for every known service,
> e.g. something like
> "Identitified/tcp/119" = "Proto=NNTP;Server=INN"
>
> This would not prevent get_kb_item("Services/unknown") from returning
> the whole list, but it could be processed more quickly.
>
> Hack #2 has another advantage: it could improve cooperation between
> plugins.

... at the expense of a major rewrite :) I'd prefer hack#1a.


-- Renaud

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal