> I ran into this problem the other day running a port scan (1-65535) on
> a firewall (which dropped all packets - no open or closed ports) >Considering what happened, I suspect that your firewall does not "drop" >packets but rather "rejects" them with ICMP messages. I was aware of the limitations of ICMP messages, and have seen that before (mostly w/ nmap). In fact, that would have explained the situation for me. I can tell you that of the packets that I saw b/w the two hosts, I never saw any ICMP messages coming from the firewall. I did actually save a partial packet capture from my initial scan and I went back through it and filtered for this one host. Below is a representative sample. I have roughly 3800 SYN's to this host without one reply (ICMP or RST). I believe this was nessus_tcp_scanner src.x.x.x.38212 > dstx.x.x.x.3838: S 3208167900:3208167900(0) win 5840 <mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> src.x.x.x.49767 > dst.x.x.x.3891: S 3204817310:3204817310(0) win 5840 <mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> src.x.x.x.43774 > dst.x.x.x.3944: S 3205253786:3205253786(0) win 5840 <mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> src.x.x.x.39130 > dst.x.x.x.3997: S 3201729308:3201729308(0) win 5840 <mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> src.x.x.x.41805 > dst.x.x.x.4050: S 3198041800:3198041800(0) win 5840 <mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> src.x.x.x.35136 > dst.x.x.x.4103: S 3214628214:3214628214(0) win 5840 <mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> src.x.x.x.53891 > dst.x.x.x.4156: S 3200384851:3200384851(0) win 5840 <mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> src.x.x.x.54316 > dst.x.x.x.4209: S 3206064725:3206064725(0) win 5840 <mss 1460,sackOK,timestamp 862864247 0,nop,wscale 2> >Any idea on the remote host OS and packet filter? >Which was the value of max_check? The information I have says it is 'supposed' to be a Netscreen firewall. Max_checks = 4 _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
