Mailing List Archive

I havn't been getting any problems in the false positive arena.. I am just
trying to streamline my whole scanning process so I don't have to babysit
the client. I would rather it email me :) I am just tired of battling with
iss scanner's crappy interface.

Mike

-----Original Message-----
From: Eric Robinson [mailto:eric@pmcipa.com]
Sent: Wednesday, August 15, 2001 1:43 PM
To: 'nessus@list.nessus.org'
Subject: More False Positives


The more I use Nessus, the more I scratch my head. Currently, these issues
trouble me:

1. After a recent scan, the summary in the Nessus Report window
indicated that the target server had 3 holes, 2 warnings and 4 notes. Yet
when I expanded the plus signs on the right side, I saw only 1 hole. Where
did the other two holes go? This is not the first time I have observed this
behavior.

2. The security notes indicate that the target server is running IIS
4.0 and the Microsoft FTP service. Okay, but then the "general/tcp" note
goes on to say, "QueSO has found that the remote OS is * Reliant Unix from
Siemens-Nixdorf." Sure it is.

Are these kinds of issues fixed in later versions of Nessus?

--Eric

-----Original Message-----
From: Reeves, Michael (GEAE, Compaq) [mailto:michael.reeves@ae.ge.com]
Sent: Wednesday, August 15, 2001 10:25 AM
To: 'nessus@list.nessus.org'
Subject: Scheduling Scans


I am still having problems searching the lists out there on the website but
I have a quick question. Right now I am doing the delay between scanning on
the codered overflow stuff and was wanting to know if there is a better way
to do this. I want to have cron jobs set up for different plugins at
different times. I read the man page for nessus but I don't see where you
choose the plugins. Also I want to scan diffrent networks at different
times. (Huge international network so got the whole timezone thing going
on.) Also I want to use different plugins for different networks. Anyone
that can point me in the right direction would be greatly appreciated.

Mike Reeves

Hi,

1) Can you give more information what holes/warning it found? so that we can
better help you?
2) You should note that the Queso detection is a false one since your host
doesn't allow proper fingerprinting. That's a plus, not a false positive :},
so now your problem is that I can know that your FTP server is Windows based
(which you should change).

Thanks
Noam Rathaus
http://www.SecuriTeam.com
http://www.BeyondSecurity.com

Know that you're safe (against Code Red and other vulnerabilities):
http://www.AutomatedScanning.com/


----- Original Message -----
From: "Eric Robinson" <eric@pmcipa.com>
To: <nessus@list.nessus.org>
Sent: Wednesday, August 15, 2001 17:43
Subject: More False Positives


> The more I use Nessus, the more I scratch my head. Currently, these issues
> trouble me:
>
> 1. After a recent scan, the summary in the Nessus Report window
> indicated that the target server had 3 holes, 2 warnings and 4 notes. Yet
> when I expanded the plus signs on the right side, I saw only 1 hole. Where
> did the other two holes go? This is not the first time I have observed
this
> behavior.
>
> 2. The security notes indicate that the target server is running IIS
> 4.0 and the Microsoft FTP service. Okay, but then the "general/tcp" note
> goes on to say, "QueSO has found that the remote OS is * Reliant Unix from
> Siemens-Nixdorf." Sure it is.
>
> Are these kinds of issues fixed in later versions of Nessus?
>
> --Eric
>
> -----Original Message-----
> From: Reeves, Michael (GEAE, Compaq) [mailto:michael.reeves@ae.ge.com]
> Sent: Wednesday, August 15, 2001 10:25 AM
> To: 'nessus@list.nessus.org'
> Subject: Scheduling Scans
>
>
> I am still having problems searching the lists out there on the website
but
> I have a quick question. Right now I am doing the delay between scanning
on
> the codered overflow stuff and was wanting to know if there is a better
way
> to do this. I want to have cron jobs set up for different plugins at
> different times. I read the man page for nessus but I don't see where you
> choose the plugins. Also I want to scan diffrent networks at different
> times. (Huge international network so got the whole timezone thing going
> on.) Also I want to use different plugins for different networks. Anyone
> that can point me in the right direction would be greatly appreciated.
>
> Mike Reeves
>
>

Eric Robinson <eric@pmcipa.com> writes:

> The more I use Nessus, the more I scratch my head.

Believe me or not, ISS is much more expensive and much worse on the
topic of false positives :-]

> 1. After a recent scan, the summary in the Nessus Report window
> indicated that the target server had 3 holes, 2 warnings and 4 notes. Yet
> when I expanded the plus signs on the right side, I saw only 1 hole. Where
> did the other two holes go?

Without you .NSR file, it is impossible to answer this question.

> 2. The security notes indicate that the target server is running IIS
> 4.0 and the Microsoft FTP service.

Not exactly. There are two kind of messages:
1. Nessus prints the banner from the service (I suppose this is what
you got)
2. Nessus found that an attack _targeted_ at first against IIS, MS
FTP, whatever..., was succesful.

> Okay, but then the "general/tcp" note
> goes on to say, "QueSO has found that the remote OS is * Reliant Unix from
> Siemens-Nixdorf." Sure it is.

Queso is not very reliable. nmap is much better.
Xprobe too (no plugin _yet_).

> Are these kinds of issues fixed in later versions of Nessus?

The banner may be faked, and the IP stack may implement some tricks so
that your Linux looks like a Win2K box (it is no a good idea, though)

The best thing is to give the raw information to the user, so that
he can find the truth by himself.
"Machines should work, people should think".

--
mailto:arboi@bigfoot.com http://www.bigfoot.com/~arboi/
GPG Public keys: http://www.bigfoot.com/~arboi/pubkey.txt
FAQNOPI de fr.comp.securite : http://www.bigfoot.com/~arboi/secu/FAQNOPI/

On Wed, Aug 15, 2001 at 10:43:23AM -0700, Eric Robinson wrote:
> The more I use Nessus, the more I scratch my head. Currently, these issues
> trouble me:
>
> 1. After a recent scan, the summary in the Nessus Report window
> indicated that the target server had 3 holes, 2 warnings and 4 notes. Yet
> when I expanded the plus signs on the right side, I saw only 1 hole. Where
> did the other two holes go? This is not the first time I have observed this
> behavior.

Is it possible to get a copy of the report ?

> 2. The security notes indicate that the target server is running IIS
> 4.0 and the Microsoft FTP service. Okay, but then the "general/tcp" note
> goes on to say, "QueSO has found that the remote OS is * Reliant Unix from
> Siemens-Nixdorf." Sure it is.

QueSO is using a prehistoric (compared to nmap) method to do OS
fingerprinting. As you can see, this method is not accurate all the
time, and may produce such non-sense, and that's why QueSO is not even
launched when Nmap discovered the OS. If you tell me what version
of NT you're running, I'll update the QueSO file.


-- Renaud

On Wed, Aug 15, 2001 at 02:10:03PM -0400, Reeves, Michael (GEAE, Compaq) wrote:
> I havn't been getting any problems in the false positive arena.. I am just
> trying to streamline my whole scanning process so I don't have to babysit
> the client. I would rather it email me :) I am just tired of battling with
> iss scanner's crappy interface.

http://www.nessus.org/doc/detached_scan.html is your friend then.


-- Renaud

>
> 2. The security notes indicate that the target server is running IIS
> 4.0 and the Microsoft FTP service. Okay, but then the "general/tcp" note
> goes on to say, "QueSO has found that the remote OS is * Reliant Unix from
> Siemens-Nixdorf." Sure it is.

When nmap doesn't identify an OS, the queso wrapper plugin is started. That
has not yet found a single OS correctly for me. You might want to
- install and try the newest version of queso, or
- disable the queso wrapper plugin.
Also make sure that you have OS detection turned on for the nmap plugin.

An additional problem for the OS fingerprinters might be that some of the
probe packets are filtered by a firewall, making the response looking
different

Regards
Alex