Mailing List Archive

On Jul 30, 2008, at 11:15 AM, Yanyan Wang wrote:

> I have brought down many more servers this month than I ever did in
> the past even though I had disabled DoS. What went wrong? Thank you.

One possible problem is that you're enabling Thorough tests (under the
'Global variable settings' drop-down menu on the 'Advanced' tab). This
causes Nessus to try running many of the service detection plugins
against all open ports, not just those on the associated well-known
service port.

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

On Wednesday 30 July 2008 17:15:59 Yanyan Wang wrote:
> I have brought down many more servers this month than I ever did in the
> past even though I had disabled DoS. What went wrong? Thank you.

I noticed that you enable "thorough tests".They might be intrusive.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Is it possible that it was caused by web mirroring?

>>> "George A. Theall" <theall@tenablesecurity.com> 7/30/2008 11:47 AM >>>
On Jul 30, 2008, at 11:15 AM, Yanyan Wang wrote:

> I have brought down many more servers this month than I ever did in
> the past even though I had disabled DoS. What went wrong? Thank you.

One possible problem is that you're enabling Thorough tests (under the
'Global variable settings' drop-down menu on the 'Advanced' tab). This
causes Nessus to try running many of the service detection plugins
against all open ports, not just those on the associated well-known
service port.

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

On Jul 30, 2008, at 12:17 PM, Yanyan Wang wrote:

> Is it possible that it was caused by web mirroring?

It's hard to say given the information you provided. But enabling
Thorough tests has been known to cause some services to crash when
they receive unexpected data.

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

I'll second that. Especially on Citrix servers. Turn it off on scans
of production networks.

-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Michel Arboi
Sent: Wednesday, July 30, 2008 8:48 AM
To: nessus@list.nessus.org
Subject: Re: Nessus scan DoS

On Wednesday 30 July 2008 17:15:59 Yanyan Wang wrote:
> I have brought down many more servers this month than I ever did in
> the past even though I had disabled DoS. What went wrong? Thank you.

I noticed that you enable "thorough tests".They might be intrusive.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Deselecting thorough test had done the trick. Thanks.

I have another questions. After I deselected thorough test, the scan did not return any vulnerabilities other than track route. Eventually I deselected test Oracle default account, and the scan found the vulnerabilities. What could be the reason for that? Thanks.

YanYan

>>> "George A. Theall" <theall@tenablesecurity.com> 7/30/2008 12:47 PM >>>
On Jul 30, 2008, at 12:17 PM, Yanyan Wang wrote:

> Is it possible that it was caused by web mirroring?

It's hard to say given the information you provided. But enabling
Thorough tests has been known to cause some services to crash when
they receive unexpected data.

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

On Aug 6, 2008, at 12:26 AM, Yanyan Wang wrote:

> I have another questions. After I deselected thorough test, the scan
> did not return any vulnerabilities other than track route.
> Eventually I deselected test Oracle default account, and the scan
> found the vulnerabilities. What could be the reason for that? Thanks.


It's hard to say. What plugins are you trying to run? How was the scan
configured? Does the Nessus server log have anything interesting from
the earlier scans?

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus