On Sunday 05 May 2002 03:40 pm, Noam Rathaus wrote: > Hi, > > (This is long, but please bare with me) > > I am sorry to bring this up, but it seems that there are too many "trickle > though" cases where Nessus will cause false positives when trying to access > pages that are not answering a "404 File not found" response. Had a similar issue, here is a modified version (not complete) which seems to work around most of these problems: # # The script code starts here # function check(url, port) { req = http_get(item:url, port:port); soc = open_sock_tcp(port:port); if (!soc) { return (0); } send(socket:soc, data:req); result = recv(socket:soc, length:8192, timeout:20); close(soc); return(result); } function find_err_msg(buffer) { cmsg = 0; for (cmsg = 0; errmsg[cmsg]; cmsg = cmsg + 1) { cpat = errmsg[cmsg]; if (ereg(pattern:cpat, string:buffer, icase:TRUE)) { return(cpat); } } return (0); } # build list of test urls badurl[0] = string("/NESS_no404.html"); badurl[1] = string("/NESS_no404.cgi"); badurl[2] = string("/NESS_no404.sh"); badurl[3] = string("/NESS_no404.pl"); badurl[4] = string("/cgi-bin/NESS_no404.html"); badurl[5] = string("/cgi-bin/NESS_no404.cgi"); badurl[6] = string("/cgi-bin/NESS_no404.sh"); badurl[7] = string("/cgi-bin/NESS_no404.pl"); errmsg[0] = "not found"; errmsg[1] = "404"; errmsg[2] = "error has occurred"; errmsg[3] = "firewall-1 message"; errmsg[4] = "Reload acp_userinfo database"; errmsg[5] = "IMail Server Web Messaging"; debug = 1; port = get_kb_item("Services/www"); if(!port)port = 80; for (c = 0; badurl[c]; c = c + 1) { url = badurl[c]; if(debug) display("Checking URL ", url, "\n"); ret = check(url,port); if (ret != 0) { raw_http_line = egrep(pattern:"^HTTP/", string:ret); # check for a 200 OK if(ereg(pattern:"^HTTP.*200", string:raw_http_line)) { # look for common "not found": indications not_found = find_err_msg(buffer:ret); if (not_found != 0) { found = string("www/no404/", port); set_kb_item(name:found, value:not_found); security_note(port:port, data:not_found); if(debug) display("200: Using string: ", not_found, "\n"); exit(0); } } # check for a 302 Moved if(ereg(pattern:"^HTTP.*302", string:raw_http_line)) { # put the first line of the response as no404 msg ;) found = string("www/no404/", port); set_kb_item(name:found, value:raw_http_line); security_note(port:port, data:raw_http_line); if(debug) display("302: Using ", raw_http_line, "\n"); exit(0); } } else { if(debug) display("An error occurred when trying to request: ", url, "\n"); } }
This archive was generated by hypermail 2b30 : Mon May 06 2002 - 21:56:10 PDT