Re: [Fwbuilder-discussion] TCP SYN packets which have the FIN flag set
Brought to you by:
mikehorn
From: Vadim K. <va...@vk...> - 2005-02-21 18:31:52
|
On Feb 21, 2005, at 5:45 AM, Chris Hammond wrote: > Hi Vadim, I created the service object and a rule to use it and nessus > still finds the vulnerability. I looked at the plugin in nessus to > see if I could figure out what else it is looking for but it went over > my head. The plugin is tcpip_ambiguities.nasl. > What else needs to be done other than the service that we talked about > below? > I believe NESSUS expects the firewall to drop these packets but finds that it returns something in response. Try to turn logging on in your rule and see if it matches packets sent by nessus. What action did you use in this rule ? It should be "Deny". If scanning with nessus with SYN+FIN packets does not create log entries, or you get a log entry but it points at a different rule in the policy, check if some other rule might be matching and accepting these packets. --vk > Thanks > Chris > > Vadim Kurland /r/ wrote: > >> >> On Feb 18, 2005, at 11:30 AM, Chris Hammond wrote: >> >>> Thanks for the reply Vadim. I created a tcp object and left the >>> ports at 0 and checked the mask and settings for S and F. >>> Is this correct? >>> >> >> yes, this is correct >> >> >>> Thanks >>> Chris >>> >>> Vadim Kurland wrote: >>> >>>> >>>> On Feb 18, 2005, at 6:20 AM, Chris Hammond wrote: >>>> >>>>> I have started setting up Firewall Builder on the Linux boxes in >>>>> my NOC and I am running Nessus >>>>> scans on them to lock them down and one of the issues that come up >>>>> with Nessus is the above subject. >>>>> I looked at the references from the Nessus report but I am having >>>>> problems creating a rule in Firewall >>>>> Builder to eliminate the issue. >>>>> >>>>> I can handle basic firewalling but indepth things like this are >>>>> out of my league. Is anyone out there willing >>>>> to help me along the path do this? >>>>> >>>> >>>> you need to create TCP Service object with source and destination >>>> ports left blank and SYN and FIN flags set. Then use this object in >>>> a rule with action DENY. >>>> >>>> --vk >>>> >> >> >> >> ------------------------------------------------------- >> SF email is sponsored by - The IT Product Guide >> Read honest & candid reviews on hundreds of IT Products from real >> users. >> Discover which products truly live up to the hype. Start reading now. >> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |