mailing list archives
Re: Nessus Scan
From: Steve Hillier <securityfocus () mastermindtoys com>
Date: Thu, 16 Aug 2007 16:22:25 -0400
Sorry if this was answered already, but were you doing a SYN scan or a
full connect scan?
Quite often when doing a SYN scan the IDS or firewall sees the half-open
connection and closes it, then blocks the IP that made the initial
connection for a period of time. I think some IDSs will report this as a
"SYN Flood", or something similar.
Because the initial connection was successful, Nessus records it as an
open port, but when it goes back to do the vulnerability testing, the
IDS is blocking the connection, and Nessus reports the port in the
manner you mentioned in your initial email.
I've seen this happen on a few scans I've done, and I've always taken it
to mean that the IDS was doing its job.
For what it's worth...
Steve Hillier, B.Sc.
On 08/16/2007 02:11 PM, mikef () everfast com wrote:
The open ports in question are 80 & 443. There is a PIX firewall between the server and the border router and the web
logs show requests from the scan vendor.