We are noticing that the whisker plugin (ID=10845) has been the main
source of false positive CGI abuses. I think I found out why it is
raising so many false positives for us:
It depends on no404.nasl. If no404.nasl detects that the server is
"broken", then the whisker plugin aborts with no threats found,
which sounds fair. The problem is that no404.nasl does not treat
"403 Permission Denied" requests as "found" while whisker does.
Here are the changes that I would like to make:
Make no404.nasl store something in the kb when it gets 403 return
codes. It would have to be a separate key so as to not interfere
with existing plugins that depend on no404.nasl.
Modify the whisker code to not bark about 403 requests if this new
no404.nasl key is in the kb.
Does this sound like a reasonable change?
P.S. I'm looking at the nessus 2.0.8 code.
Thanks
Erik
source of false positive CGI abuses. I think I found out why it is
raising so many false positives for us:
It depends on no404.nasl. If no404.nasl detects that the server is
"broken", then the whisker plugin aborts with no threats found,
which sounds fair. The problem is that no404.nasl does not treat
"403 Permission Denied" requests as "found" while whisker does.
Here are the changes that I would like to make:
Make no404.nasl store something in the kb when it gets 403 return
codes. It would have to be a separate key so as to not interfere
with existing plugins that depend on no404.nasl.
Modify the whisker code to not bark about 403 requests if this new
no404.nasl key is in the kb.
Does this sound like a reasonable change?
P.S. I'm looking at the nessus 2.0.8 code.
Thanks
Erik