Security Basics mailing list archives
Re: Nessus Scan
From: Steve Hillier <securityfocus () mastermindtoys com>
Date: Thu, 16 Aug 2007 16:22:25 -0400
Sorry if this was answered already, but were you doing a SYN scan or a full connect scan? Quite often when doing a SYN scan the IDS or firewall sees the half-open connection and closes it, then blocks the IP that made the initial connection for a period of time. I think some IDSs will report this as a "SYN Flood", or something similar. Because the initial connection was successful, Nessus records it as an open port, but when it goes back to do the vulnerability testing, the IDS is blocking the connection, and Nessus reports the port in the manner you mentioned in your initial email. I've seen this happen on a few scans I've done, and I've always taken it to mean that the IDS was doing its job. For what it's worth... Steve Hillier, B.Sc. On 08/16/2007 02:11 PM, mikef () everfast com wrote:
The open ports in question are 80 & 443. There is a PIX firewall between the server and the border router and the web logs show requests from the scan vendor.
Current thread:
- RE: Nessus Scan, (continued)
- RE: Nessus Scan Craig Wright (Aug 15)
- RE: Nessus Scan Erin Carroll (Aug 16)
- RE: Nessus Scan Craig Wright (Aug 16)
- RE: Nessus Scan Erin Carroll (Aug 17)
- RE: Nessus Scan Erin Carroll (Aug 16)
- RE: Nessus Scan Craig Wright (Aug 15)
- RE: Nessus Scan Michael LaSalvia (Aug 15)
- RE: Nessus Scan Serge Vondandamo (Aug 16)
- Re: Nessus Scan David Jacoby (Aug 17)
- RE: Nessus Scan Chandresh Dedhia (Aug 16)
- Re: Nessus Scan levinson_k (Aug 16)
- Re: RE: Nessus Scan mikef (Aug 16)
- Re: Nessus Scan Steve Hillier (Aug 16)
- Re: Nessus Scan mikef (Aug 16)
- Re: Nessus Scan mikef (Aug 16)