An easy place to draw the line is the actual binary you are executing on the other end. Beagle is known as a binary from an untrusted source with malicious intent. If you send peculiar packets to discover certain bugs in older versions of OpenSSL, you're sending them to a binary that is not known to be malicious, but may be buggy (yes, I know that the openssl binary could have been swapped by a cracker for a malicious version)
I don't think that now is the time to be drawing such a line. I'm sure that as time goes on, the best place to draw the line will be obvious.
In my opinion, the plugin should be left as is.
Renaud Deraison wrote:
On Fri, Jan 23, 2004 at 07:32:31AM -0500, Jim Hendrick wrote:
To answer your question however, there are very few "normal" programs that
would send "43ffffff0000000004120" as opposed to "GET / HTTP/1.0".
Where do you draw the line then ? Dozens of plugins send very peculiar packets (SSL negociations, terminal services recognition, and so on...).
Some of the packets sent are intentionally broken (ie: you're not more likely to see them on a network than you're likely to see the bagle probe command), so any virus could "trigger" on them instead.
-- Renaud _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
-- Michael Jensen Information Systems/Security Manager In2M Corporation 801.984.4221
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
