On Fri, Dec 07, 2001 at 01:20:43PM +0200, Juha Jäykkä wrote:
> Most false positives are easily dismissed by knowing your setup which
> nessus does not. There are a couple of concering cases, though: This
> case of lprng: nessus only says it detects an lprng daemon, but NOT
> that it cannot tell the version number and just states what I describe
> in the beginning. Another is Trin00. It has this far detected three
> machines with Trin00. In one of them it most certainly is false since
> it claims to have found Windows version of Trin00 on an IRIX host...
> The other two cases, on the other hand give no hint of being falses.
> Does anyone know how reliable nessus is in detecting Trin00? Does it
> only check that port X is open, thus we have Trin00 there or does it
> really send some commands to the supposed Trin00 client/daemon and
> verify its existence from the reply? If nessus is not realiable, how
> can I check for it?
>
You can see the code yourself. Just go to www.nessus.org and check
out the plugins section. As you can see at
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/trinoo.nasl
the trinoo test does send some UDP packet to the 27444 port and
checks the result. If you find out a false positive in a given platform
please report it to the nessus mailing list (nessus@list.nessus.org)
Regards
Javi
