Hmmm... I guess I would consider "the line" to be that this plugin chooses to trigger something to happen in known malware vs. the SSL negotiations, etc. that are used to test legitimate services.
I guess ultimately I would use the plugin as part of identifying/verifying Bagle, but recognize it as part of the "dangerous plugins" section. Jim ----- Original Message ----- From: "Renaud Deraison" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 23, 2004 8:59 AM Subject: Re: Bagle remover + Nessus 2.2 > On Fri, Jan 23, 2004 at 07:32:31AM -0500, Jim Hendrick wrote: > > To answer your question however, there are very few "normal" programs that > > would send "43ffffff0000000004120" as opposed to "GET / HTTP/1.0". > > Where do you draw the line then ? Dozens of plugins send very peculiar > packets (SSL negociations, terminal services recognition, and so on...). > > Some of the packets sent are intentionally broken (ie: you're not more > likely to see them on a network than you're likely to see the bagle > probe command), so any virus could "trigger" on them instead. > > > > > -- Renaud > _______________________________________________ > Nessus mailing list > [EMAIL PROTECTED] > http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
