False positive in dabber_worm.nasl

One of the devices we scan has many ports open in order to be a target for outbound scans of firewalls. When dabber_worm.nasl sees it, it sees its “dangerous” ports open, then sends a “C” to the port it selects. If it gets back any response at all, it marks the system as being infected with the Dabber worm.

Could dabber_worm.nasl be modified to check the returned value in some way to avoid this

Have a look at the creation date of that VT:

  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");

To add any response check to that VT would mean either getting a hand on a nearly 15 year old worm or to find some info somewhere in the internet how the worm had replied to such request. Looks to me like a nearly impossible task.

As your setup looks like something really exotic i guess the only option you currently have is to create an overwrite for this result to either a “log” level or a “false positive” as described in the manual:


1 Like