To follow up on this and to report the outcome for the mailing list. It would appear that the msrpc_dcom2.nasl plugin will exit without testing the remote host correctly if there are network response problems that cause packets to time out. If this happens then the older plugin then runs and reports a false positive. I ran several test runs of both plugins against a /24 subnet and if I set max_hosts=50 then I got between 1 and 5 false positives. If I back max_hosts down to 30 then I didn't get any false positive results.
I may look at changing the plugin such that it sets a security_warning() in the cases where it doesn't get a timely response since we could then stop the second plugin from running and reporting a false result. -----Original Message----- From: Renaud Deraison [mailto:[EMAIL PROTECTED] Sent: 14 October 2003 14:10 To: [EMAIL PROTECTED] Subject: Re: msrpc_dcom2.nasl false positives On Tue, Oct 14, 2003 at 01:57:38PM +0100, Hemsley, Trevor wrote: > I've been getting a few false positive results when I scan with msrpc_dcom2.nasl and > with msrpc_dcom.nasl. I've added a bunch of debugging to dcom2.nasl to try to track > down why it happens. So far as I can see I never get false positives when I scan one > host at a time, only when I scan a whole bunch - a /24 subnet seems to be enough to > make it happen repeatedly. The false results come when msrpc_dcom2.nasl exits > without setting the KB entry and then msrpc_dcom.nasl runs and finds the host > vulnerable to the old exploit. It looks to me like msrpc_dcom2 is exiting too early. > For example, in the function check() there is code that says How many hosts are you testing simultaneously ? Try to edit your .nessusrc and change non_simult_ports = 139, 445 to non_simult_ports = 135, 139, 445 And see if that helps.
