Re: [Plugins-writers] Comment on NID:11157

From: MadHat (madhat@private)
Date: Fri Apr 15 2005 - 07:39:45 PDT

On Apr 15, 2005, at 12:08 AM, Jason Haar wrote:
> Hi there
> The "NetBus" tcp/12345 check mentions a bunch of trojans that could be
> running on that port. What it doesn't realize is that Trend Micro
> OfficeScan also runs on that port...
> Can that either be mentioned - in the sake of lessening freak-outs for
> Trend sites? ;-)

So script 11157 is for Trojans.  "An unknown service runs on this port. 
It is sometimes opened by Trojan horses.  Unless you know for sure what 
is behind it, you'd better  check your system."

So, the better solution would be to fingerprint the port better, 
identifying OfficeScan as what is running, and not alert on it if it 
_is_ a valid app?

None of the other ports appear to list the valid services, neither 
should this one.

Plugins-writers mailing list

This archive was generated by hypermail 2.1.3 : Fri Apr 15 2005 - 07:41:15 PDT