We have been writing a custom a plugin to test for the presence of McAfee EPO
Agent on workstations and we have had success in accomplishing this but we had
several problems along the way for which we would like to request answers. We
are using Nessus server and client 3.2.0:
1. Why do the get_port_state, get_tcp_port_state and get_udp_port_state
functions always return a value of 1 (i.e. true)?
We noted the comment that the get_udp_port_state function may be unreliable but
we were expecting the get_tcp_port_state or just get_port_state function to
reliably report the port status. By using Wireshark on a laptop running Linux,
we were able to determine that the function does not send any request or
packets to the remote workstation. How then does it determine that the port is
indeed open?
2. Since the UPD protocol is stateless or connection less, the above function
always returns true and the open_sock_udp function aqlso always succeeds, how
do you determine whether a UDP port is open on a remote host? How do you listen
to a response on that port?
3. When you drop a custom plugin into the plugin directory
(/opt/nessus/lib/nessus/plugins) and restart Nessus, the plugin does not
immediately appear in the plugin list. We checked and double checked all of the
fields on the description and they appear to be correct but just in case, here
is our description section:
if (description)
{
script_id(95001);
script_version("$Revision: 1.0 $");
script_name(english:"Detect EPO Agent");
script_summary(english:"Detect presence of EPO Agent and return information");
desc = "
Synopsis :
Checks whether McAfee EPO Agent is running on the remote host
Description :
This plugin attempts to determine whether McAfee EPO agent is
running on the remote host and returns some information about
the agent.
Solution :
None
Risk factor:
None";
script_description(english:desc);
script_category(ACT_GATHER_INFO);
script_family(english:"LCC Custom");
script_copyright(english:"This script is Copyright (C) 2008, John Chajecki, Lei
cester City Council");
script_dependencies("");
script_require_ports("Services/www", 8081, "Services/www", 8086);
exit(0);
}
What seems to happen is that the plugin does eventually appear in the list some
30min to an hour later.
Is there any way to force a re-sync of the plugin database so that it will
appear immediately or reasonably quickly?
4. Is there a way of selecting all plugins for a specific platform e.g.
Solaris, Windows. Cisco etc? We couldn't find any and this seems a major
omission in our opinion.
5. On the plugin selection tab in the Nessus Client, why does the find function
never return any results? Also, why does the 'Show All' button cause all
plugins AND all port scanners on the option page AND other options on other
tabs to become de-selected?
Any explanation would be greatly appreciated.
_
John Chajecki
Senior Infrastructure Engineer
Information Division
Resources Department
Leicester City Council
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
