On 03/14/07 19:37, Dan Harkless wrote:
I talked to John in private email and he says that he confirmed that
'Thorough tests' was causing his Citrix service DoS. He also says the
problem didn't start occurring until they applied some recent (at the time)
Citrix patches.
Someone's reported this to Citrix, right?
However, I also heard from a member of a different security group at my
company who saw my post, and he says that they use 'Thorough tests' against
Citrix servers without issue. That plus the fact that the IMA service
(which was getting stopped in John's caes) isn't exposed on the servers I'm
scanning (just the ICA service, 1494/tcp) indicates to me that it should be
safe to turn on 'Thorough tests'.
As you note, the port range is indeed a consideration when enabling
thorough tests. Many of the service detection plugins by default probe
only the well-known port(s) associated with that service. Enabling
thorough tests will cause those plugins to probe any open port which is
still marked as an unknown service. So if you know that the only service
that doesn't handle invalid input well is the the ICA service on port
1494 (because, say, of testing in a lab), you should be able to enable
thorough tests and stay clear of trouble as long as you omit 1494 from
the port range.
George
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
|