Mailing List Archive

False Positives: TrinOO, TrinOO for Windows, Shaft, mstream agent
Hi everybody!

Nessus reports on every scan the security holes mentioned in subject.
Even on machines that have been installed minutes before and never
had any network-connection. This cannot be true. I had a look on these
attack-scrips. They all have a similar structure:

1. Send an UDP-packet to the attacked machine.
2. Look for an UDP-answer
3. If there is an answer, report security hole 'x'
else report security hole 'y'

But if nothing listens on this port most machines answer with an
ICMP unreachable, which the script always ignores. Then there is no
answer and it reports an security hole.

Maybe someone can fix this? I tried, but I first have to learn NASL ;-)

Heute ist nicht alle Tage, ich komm' wieder, keine Frage!!!
Yours Joerg
War is an equal opportunity destroyer.