[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] security hole isakmp
On Fri, 3 May 2002, Jochen Vogel wrote: > i take a tcpdump on the scanner and found out the following > > nmap didn�t found the port > > 09:33:26.858000 scanner.57345 > firewall.isakmp: udp 0 my guess is that the firewall-1 system is smart enough to know that the originitor should be using a source port of udp/500 for any real ISAKMP negotiations (and not some random ephemeral port like udp/57345). i'll work on a patch to nmap today to for a src port of udp/500 if dst port is udp/500. > nessus found the port > > 09:35:49.411438 scanner.isakmp > firewall.isakmp: udp 379 note that the source port here is udp/500. the only other possibility is that nessus is including a faked iskamp payload (note the length of 379 vs. 0). if you do something like `# tcpdump -n -vvv -s1500 udp port 500` while the nessus scan is going on, it should show the payload. but, i tend to think the first reason is the correct one. - brett ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|