On Wed, Nov 12, 2003 at 03:45:00PM +0000, Paul Johnston wrote:
> Hi,
>
> I'm trying to understand this plugin a bit better. Is this analysis
> reasonable?
[...]
Yes.
> So - in theory this plugin should never false positive...?
It should not. The only way it could false positive is if the remote
host sends an ICMP unreach message which matches the pcap filter of the
plugin. Not very likely.
If you see a host which fires the plugin, you may want to
launch a tcpdump next to it and see what you are actually sent back.
> Just one thing I noticed - the plugin waits 31 seconds for the response,
> but I notice Windows 2000 default fragment timeout is 60 seconds.
Yeah, but at this time this vulnerability is only known to affect Linux.
Since 60 seconds is a hell of a long time, I'd rather avoid extending
the timeout for no real reason.
> Also,
> there's a CVE for the vulnerability - CAN-2003-0001
Nah - that's etherleak.
-- Renaud
