Security Basics mailing list archives
Re: Finding Nessus False POsitives
From: H Carvey <keydet89 () yahoo com>
Date: 8 Feb 2005 14:44:08 -0000
In-Reply-To: <20050207001634.71240.qmail () web31101 mail mud yahoo com>
I would like to know how experieced vulnerability assesment anaylsts determine nessus results as false positives or not. The way i ascertain a result being a false positive or not is by crafting the same http request to the webserver . The point where i struggle is how to craft the same request.I mean if nessus says "nessus was able to find the authentication mechanism behind an smtp server as NTLM how cud i believe or deduce tis true" "or nessus cud actually upload a test file with PUT and then delete the TEST file with DEL on the webserver" how can i determine these to be true?
First off, you're all over the map with your request...talking about HTTP URLs, SMTP authentication, etc. Second, one of the first ways I would suggest in determining how the Nessus check is done is to use a regular text editor to open the particular plugin you're interested in. If it's the plugin is HTTP-based and sends a URL, then you'll likely see the URL there. Another way to find out what Nessus is doing is to configure it to fire off only that particular plugin, and then run a sniffer while the plugin is being executed. Alternatively, many (though not all) of the plugins have documentation describing the check, so again, look in the plugin for any information. At the very least, you may be able to get the author's email address, and contact them directly. Finally, on the overall issue of false positives, you really need to look at how the plugin is written. ISS's Internet Scanner, version 6.01 and prior, had an issue with the AutoAdminLogon Registry value. According to MS documentation, the functionality of the key (and the password in plaintext in the Registry) was only enabled if the value was equal to 1. However, Internet Scanner would state that AutoAdminLogon was 'enabled', even if the value was 0. Hope that helps, H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com
Current thread:
- Re: Finding Nessus False POsitives miguel . dilaj (Feb 09)
- <Possible follow-ups>
- Re: Finding Nessus False POsitives H Carvey (Feb 09)