msrpc_dcom2.nasl false positive anyone ?

Fri Sep 19 09:07:18 EDT 2003

Sorry, I wasn't clear, this is run from nessusd using 

nessus --config-file=configs/rpcdcom.nessusrc --output-type=nsr --batch-mode 127.0.0.1 1241 user password targets/range results/range

and rpcdcom.nessusrc contains the following things set to yes

here:~ $ grep -i yes configs/rpcdcom.nessusrc
 10180 = yes
 log_whole_attack = yes
 report_killed_plugins = yes
 optimize_test = yes
 safe_checks = yes
 auto_enable_dependencies = yes
 ping_hosts = yes
 10150 = yes
 10785 = yes
 11808 = yes
 11835 = yes
 Misc information on News server[checkbox]:Local distribution = yes
 Ping the remote host[checkbox]:Do a TCP ping = yes
 Ping the remote host[checkbox]:Log live hosts in the report = yes
 SMB Scope[checkbox]:Request information about the domain = yes
 Services[checkbox]:Quick SOCKS proxy checking = yes
 Nmap[checkbox]:Ping the remote host = yes
 Nmap[checkbox]:Do not randomize the  order  in  which ports are scanned = yes
 Login configurations[checkbox]:Never send SMB credentials in clear text = yes

nessusd.messages says (for one of the hosts)
[Fri Sep 19 10:21:23 2003][16078] user nessus : testing x.x.x.x (x.x.x.x) [16241]
[Fri Sep 19 10:21:23 2003][16241] user nessus : launching ping_host.nasl against x.x.x.x [16246]
[Fri Sep 19 10:21:24 2003][16241] user nessus : launching find_service.nes against x.x.x.x [16325]
[Fri Sep 19 10:21:24 2003][16241] user nessus : launching msrpc_dcom2.nasl against x.x.x.x [16329]
[Fri Sep 19 10:21:48 2003][16241] user nessus : launching cifs445.nasl against x.x.x.x [16696]
[Fri Sep 19 10:21:48 2003][16241] user nessus : launching msrpc_dcom.nasl against x.x.x.x [16697]
[Fri Sep 19 10:22:02 2003][16241] user nessus : launching netbios_name_get.nasl against x.x.x.x [16907]
[Fri Sep 19 10:22:05 2003][16241] user nessus : launching smb_nativelanman.nasl against x.x.x.x [16934]
[Fri Sep 19 10:22:08 2003][16241] Finished testing x.x.x.x. Time : 44.91 secs

-----Original Message-----
From: Renaud Deraison [mailto:deraison at nessus.org]
Sent: 19 September 2003 13:46
To: nessus at list.nessus.org
Subject: Re: msrpc_dcom2.nasl false positive anyone ?

On Fri, Sep 19, 2003 at 01:24:49PM +0100, Hemsley, Trevor wrote:
> I am still seeing some weirdness that doesn't make sense. I have machines that are telling me that they're vulnerable to MS03-026 but not to MS03-039 and I do not think that this is possible. I'm running msrpc_dcom2.nasl v1.22 and msrpc_dcom.nasl v1.10. 

Err - this is expected. If you run msrpc_dcom.nasl in command-line mode,
it will produce false positives against systems patched with MS03-039.
The solution is to run the scripts from within nessusd, which handles
the plugin cooperation nicely and will avoid such false positives.