[Plugins-writers] check_ports.nasl

From: Herman Young (herman@private)
Date: Wed Nov 29 2006 - 01:32:28 PST


Good day,

We changed check_ports.nasl to indicate when a scan on one of our customers may be incomplete due to network congestion, IDS or IPS
behaviour etc..
The nasl also reports on the specific ports affected.
When we see the nasl reporting *consistently*, we tune the Nessus config untill check_ports.nasl does not report anymore.

For interest sake the settings we had the most complete results with are the following (We use Nessus 3.0.3 and these scans are
conducted over the Internet):

10335 = yes #Nessus tcp scanner
max_hosts = 10
max_checks = 5
checks_read_timeout = 10 #Default is 5
Thorough tests (slow) = no

Herewith the nasl:
#
# This script was written by Michel Arboi <arboi@private> 
#
# GPL, blah blah blah
# See the Nessus Scripts License for details
#
# Services known to crash or freeze on a port scan:
#
# ClearCase (TCP/371)
# NetBackup
# 
################
# References
################
#
# From: marek.rouchal@private
# To: bugtraq@private, vulnwatch@private, 
#   submissions@private
# CC: rheinold@private, buggy@private, 
#    Thorsten.Delbrouck@private, manfred.korger@private
# Date: Fri, 22 Nov 2002 10:30:11 +0100
# Subject: ClearCase DoS vulnerabilty
#
################
# Changes
################
#
# Edited by Herman Young <herman@private>

if(description)
{
 script_id(10919);
 script_version ("$Revision: 1.4 $");

 name["english"] = "Check open ports";
 name["francais"] = "Vérifie les ports ouverts";
 
 script_name(english:name["english"],
            francais:name["francais"]);
 
 desc["english"] = "
During the Scan a port that was previously open has now closed. 
There exist numerous possible causes for this failure. The scan may have caused the service to freeze or stop running. 
An administrator may have stopped this particular service during the scanning process. A network failure may have occurred.

Risk factor : None";


 script_description(english:desc["english"]);
 
 summary["english"] = "Check if ports are still open";
 summary["francais"] = "Vérifie si les ports sont toujours ouverts";
 script_summary(english:summary["english"],
               francais:summary["francais"]);
 
 script_category(ACT_END);


 script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
 family["english"] = "Misc.";
 family["francais"] = "Divers";
 script_family(english:family["english"], francais:family["francais"]);

 script_dependencie("find_service.nes");
 exit(0);
}

ports = get_kb_list("Ports/tcp/*");
if(isnull(ports))exit(0);

number_of_ports = 0;
closed_ports = 0;

myreport = string("The following ports were open at the beginning of the scan but are now closed:\n\n");

foreach port (keys(ports))
{
   number_of_ports ++;
   port = int(port - "Ports/tcp/");
   s = open_sock_tcp(port);
   if (! s)
   {
    	myreport += string("Port "); myreport += port; myreport += string(" was detected as being open but is now closed.\n");
	closed_ports++;
   }
   else
   {
    	close(s);
   }
}


if( number_of_ports == 0 || closed_ports == 0) { exit(0); }
else {

myreport += string("\nThis might be an availability problem related which might be due to the following reasons :\n\n");
myreport += string("- The remote host is now down, either because a user turned it off during the scan\n");

if(safe_checks() == 0) myreport += string("- A selected denial of service was effective against this host\n");

myreport += string("- A network outage has been experienced during the scan, and the remote 
network cannot be reached from the Vulnerability Scanner any more\n");

myreport += string("- This Vulnerability Scanner has been blacklisted by the system administrator
or by automatic intrusion detection/prevention systems which have detected the 
vulnerability assessment.\n\n");

myreport += string("In any case, the audit of the remote host might be incomplete and may need to
be done again\n");

 security_note(port:0, data:myreport); 

}




 



 ** CRM114 Whitelisted by: From herman@private **
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Wed Nov 29 2006 - 02:07:12 PST