On Wed Sep 13 2006 at 17:44, Patrice.Arnal@alcatel.fr wrote:
Until now, I was happy and confident in the use of Nessus's TCP scanner.
Today, I had to scan a new machine, behind a FW / router
Does this firewall implement some kind of "defense"? Especially
against floods?
I already scanned machines in this configuration
So did I, until I crashed a firewall, and a load balancer a while
later. I do not recommend scans through any kind of stateful device.
Nessus TCP scanner reported 0 open ports
That's very odd. Did it run? Did you try to sniff the traffic between
the machines?
If you are running Nessus 2.2.x, you could also edit
nessus_tcp_scanner.c, change the DEBUG constant, recompile & reinstall
the plugin & retry. I should be able to interpret the results from
nessusd.dump
My question is : What can I do in order to be sure that the nessus TCP
scanner gives me the right results?
Is there parameters I can play with?
nessus_tcp_scanner changes its behaviour automatically when the remote
target starts dropping packets. The initial & maximum number of
parallel TCP connections are modified by several parameters.
The most important parameters are max_checks ("number of checks to
perform at the same time") and safe_checks.
If you set max_checks to 1 and safe_checks to TRUE, nessus_tcp_scanner
will be much less "aggressive". This might solve your problem, *if*
the firewall is trying to protect the target against a "SYN flood".
--
http://arboi.da.ru/ http://ma75.blogspot.com/
PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91
Fingerprint: 1048 B09B EEAF 20AA F645 2E1A 1320 924F 0BBA BA91
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
