Mailing List Archive

On Apr 15, 2005, at 12:08 AM, Jason Haar wrote:
> Hi there
>
> The "NetBus" tcp/12345 check mentions a bunch of trojans that could be
> running on that port. What it doesn't realize is that Trend Micro
> OfficeScan also runs on that port...
>
> Can that either be mentioned - in the sake of lessening freak-outs for
> Trend sites? ;-)

So script 11157 is for Trojans. "An unknown service runs on this port.
It is sometimes opened by Trojan horses. Unless you know for sure what
is behind it, you'd better check your system."

So, the better solution would be to fingerprint the port better,
identifying OfficeScan as what is running, and not alert on it if it
_is_ a valid app?

None of the other ports appear to list the valid services, neither
should this one.

On Fri Apr 15 2005 at 16:39, MadHat wrote:

> So, the better solution would be to fingerprint the port better,
> identifying OfficeScan as what is running

Right

> and not alert on it if it _is_ a valid app?

trojan_horses.nasl already does this. Unfortunately, this does not
eliminate all false alerts.
So this plugin is disabled if "avoid FP" is set.

On Apr 15, 2005, at 9:50 AM, Michel Arboi wrote:
> On Fri Apr 15 2005 at 16:39, MadHat wrote:
>
>> So, the better solution would be to fingerprint the port better,
>> identifying OfficeScan as what is running
>
> Right
>
>> and not alert on it if it _is_ a valid app?
>
> trojan_horses.nasl already does this. Unfortunately, this does not
> eliminate all false alerts.

Right, if it is able to identify the port, it does not report it
(unless I misread the nasl script). So find_service2 or one of the
others need to identify it. nmap-service-probes file states that a
"Trend Micro OfficeScan antivirus update client" responds to a GET
request with a Server type of "OfficeScan Client" but I am not sure if
that is this client or not, since I do not have access to it.

> So this plugin is disabled if "avoid FP" is set.

Understood

On Fri Apr 15 2005 at 16:59, MadHat wrote:

> others need to identify it. nmap-service-probes file states that a
> "Trend Micro OfficeScan antivirus update client" responds to a GET
> request with a Server type of "OfficeScan Client" but I am not sure if
> that is this client or not, since I do not have access to it.

Another work around would be to run nmap -sV -oG..., import the
results into Nessus, and external_svc_ident.nasl will "register" the
service.
Until we can identify OfficeScan reliably...

On Apr 15, 2005, at 10:22 AM, Michel Arboi wrote:
> On Fri Apr 15 2005 at 16:59, MadHat wrote:
>> others need to identify it. nmap-service-probes file states that a
>> "Trend Micro OfficeScan antivirus update client" responds to a GET
>> request with a Server type of "OfficeScan Client" but I am not sure if
>> that is this client or not, since I do not have access to it.
>
> Another work around would be to run nmap -sV -oG..., import the
> results into Nessus, and external_svc_ident.nasl will "register" the
> service.

I did not realize you could do that. Neat. I like -oG ;)

> Until we can identify OfficeScan reliably...
>