On 11/15/07 13:07, Detar, Larry wrote:
Pertinent settings: Port Range: 1-65535; Optimize test: Disabled;
Safe Checks: Enabled; Port Scanners: Ping remote host & Nessus TCP
scanner; Plugins: all local checks disabled; CGI scanning enabled (with
default cgi locations specified); performing only a TCP ping (no ARP or
ICMP).
The result was the the phones all rebooted within the first few seconds
of being scanned and remained inop until the scan had completed.
I'm not clear ... did you enable any plugins other than the scanners?
Does the same occur if you do a port scan with something like nmap?
Has anyone had any similar experience (with the phones, not with Cisco
Tech support!) and figued out which check or checks may be causing the
reboot so that I can disable those specific checks?
What I've observed in the past is that enabling the global variable
setting "Thorough tests" can also cause problems because some service
detection plugins will send packets to any port that's flagged as an
unknown service, not just those commonly associated with it.
Can I assume that
Nessus runs the checks in the order listed in the .nessusrc file?
That's not how Nessus works, I'm afraid.
You could look in the Nessus server log,
/opt/nessus/var/nessus/logs/nessusd.messages, provided you have
'log_whole_attack' set to 'yes' in Nessus' config file so that you're
logging details of the attack.
Alternatively, you might be able to look at the packet capture you have,
find when a target stops responding, and see what was being sent before
that.
George
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
