Roman Medina-Heigl Hernandez escribió: >>> - I don't understand why the diferent ping probes (tcp, icmp, etc) are >>> AND'ed instead of OR'ed. >> Looking at the plugin further, the answer I gave was not quite correct - >> it will mark a host as alive and exit if one of the checks succeeds. The > > This sounds logical to me: a logical "OR". You scared me when you told the > behaviour was an AND (inmediately I stripped "icmp" from my config ;-)). > >> exception is if you enable an arp ping and the target is on the same >> network segment as the Nessus server -- then the plugin marks the host >> as dead or alive based on the result and exits without trying any of the >> other checks. > > Also very reasonable. I only can think of one (*very* strange) scenario > where it would fail: one with all arp being filtered, and hosts using fixed > MAC file (/etc/ethers) to "resolve" IP to MAC addreses. In practice, I've > never found that.
Another thought: why isn't ICMP enabled by default? IMHO, it doesn't hurt (it is a light test and it could prevent another heavier tests like TCP-Ping). If ping tests are OR'ed (except ARP-ping), then ICMP will add accuracy and perhaps save time (if done before tcp-ping). Cheers, -r _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
