Mailing List Archive: weird Qmail smtp error

weird Qmail smtp error

Jason.Haar at trimble

Oct 21, 2005, 2:43 AM

Post #1 of 6 (1834 views)

I'm running nessus-2.2.4 under CentOS and when scanning a Qmail SMTP
server, the logfiles show entries like

Not launching smtp_bypass_cisco.nasl against 1.2.3.4 because the key
SMTP/qmail is present (this is not an error)
Not launching smtp_program.nasl against 1.2.3.4 because the key
SMTP/qmail is present (this is not an error)

...and yet the actual report generated makes no mention that it found a
Qmail server - it just classifies it as "a SMTP server".

Shouldn't details of the type show up in the report?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: weird Qmail smtp error [ In reply to ]

theall at tenablesecurity

Oct 21, 2005, 5:37 PM

Post #2 of 6 (1789 views)

On Fri, Oct 21, 2005 at 10:43:04PM +1300, Jason Haar wrote:

> I'm running nessus-2.2.4 under CentOS and when scanning a Qmail SMTP
> server, the logfiles show entries like
>
> Not launching smtp_bypass_cisco.nasl against 1.2.3.4 because the key
> SMTP/qmail is present (this is not an error)
> Not launching smtp_program.nasl against 1.2.3.4 because the key
> SMTP/qmail is present (this is not an error)
>
> ...and yet the actual report generated makes no mention that it found a
> Qmail server - it just classifies it as "a SMTP server".

Are you sure it says "a SMTP server" rather than "An SMTP server is
running..."? The latter comes from find_service.nes while the only
reference I find to the former is in find_service2.nasl (and I've fixed
the grammatical error), although that's not for qmail.

> Shouldn't details of the type show up in the report?

As it's coded, smtpscan.nasl only generates a report if report verbosity
is set to verbose, report paranoia is paranoid, or experimental scripts
is enabled.

George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: weird Qmail smtp error [ In reply to ]

Jason.Haar at trimble

Oct 22, 2005, 1:45 AM

Post #3 of 6 (1787 views)

George A. Theall wrote:

>Are you sure it says "a SMTP server" rather than "An SMTP server is
>running..."? The latter comes from find_service.nes while the only
>reference I find to the former is in find_service2.nasl (and I've fixed
>the grammatical error), although that's not for qmail.
>
>
>
It said "An SMTP server is running" and " A SMTP server is listening " -
i.e. smtpserver_detect and find_service

>>Shouldn't details of the type show up in the report?
>>
>>
>
>As it's coded, smtpscan.nasl only generates a report if report verbosity
>is set to verbose, report paranoia is paranoid, or experimental scripts
>is enabled.
>
>
OK... but that is inconsistent with the Web checks - i.e. the same scan
reported we had IIS servers - not just "A Web server is running"...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: weird Qmail smtp error [ In reply to ]

theall at tenablesecurity

Oct 25, 2005, 4:50 AM

Post #4 of 6 (1757 views)

On Sat, Oct 22, 2005 at 09:45:29PM +1300, Jason Haar wrote:

>> As it's coded, smtpscan.nasl only generates a report if report verbosity
>> is set to verbose, report paranoia is paranoid, or experimental scripts
>> is enabled.
>>
>>
> OK... but that is inconsistent with the Web checks - i.e. the same scan
> reported we had IIS servers - not just "A Web server is running"...

Are you referring to www_fingerprinting_hmap.nasl or something else?
Both are experimental but, yes, it does seem inconsistent in that for
www_fingerprinting_hmap.nasl you can also get a report by enabling
thorough testing while that won't work for smtpscan.nasl.

Michel Arboi is the author for both scripts. Perhaps he'll respond or
you can ask him directly.

George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: weird Qmail smtp error [ In reply to ]

mikhail at nessus

Oct 25, 2005, 6:03 AM

Post #5 of 6 (1764 views)

On Tue Oct 25 2005 at 13:50, George A. Theall wrote:

> Are you referring to www_fingerprinting_hmap.nasl or something else?
> Both are experimental

smtpscan is more reliable than hmap. smtpscan is always run; the
report is "hidden" in some cases. On the contrary, hmap is not always
run.

> www_fingerprinting_hmap.nasl you can also get a report by enabling
> thorough testing while that won't work for smtpscan.nasl.

hmap is rather slow currently. That's why it is enabled in thorough
tests.

If I understand well, the problem is that the SMTP server was
identified as qmail but Nessus said nothing in the report?
BTW, is smtpserver_detect.nasl still useful?
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: weird Qmail smtp error [ In reply to ]

Jason.Haar at trimble

Oct 25, 2005, 1:39 PM

Post #6 of 6 (1759 views)

Michel Arboi wrote:

>>www_fingerprinting_hmap.nasl you can also get a report by enabling
>>thorough testing while that won't work for smtpscan.nasl.
>>
>>
>
>hmap is rather slow currently. That's why it is enabled in thorough
>tests.
>
>If I understand well, the problem is that the SMTP server was
>identified as qmail but Nessus said nothing in the report?
>BTW, is smtpserver_detect.nasl still useful?
>
>
Yes. My point was that it was obvious from the Nessus logs that it had
figured out it was talking to a Qmail server, but it made no reference
to that fact in the report.

This is out of character (IMHO) as Nessus definitely reports when it
finds an Apache or IIS server - so why not other services such as SMTP?
(I haven't checked what it reports for FTP, etc, so maybe this affects
more than just SMTP)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers