SecurityCenter – Asset list trap

The Trick of Dynamic asset lists, and avoiding the trap

So someone asked me what seemed to be a simple question:

“Can I create an asset list of hosts that have a port responding between 100 and 200.”   A perfectly reasonable question.   The “off the cuff” response would be:

“Sure with the following rules:

  • ALL
    • Port is greater than 100
    • Port is less than 200

On its face it looks like it should do the job,  but it doesn’t evaluate the way we’d think.

Take the following example, a host that has only port 80 and port 201 responding.  This host, based upon the original requirements would not be in this asset list.

Now lets look how its evaluated:

  1. Does the host have a port open greater than 100? (Answer=TRUE, port 201)
  2. Does the host have a port open that is less than 200? (Answer=TRUE, port 80)

1 AND 2 are true, therefore we have fulfilled both requirements of the ALL clause, and therefore the host is placed in the list.

It’s a very tricky trap, something to watch for.

Source: Nessus and SecurityCenter

Leave a Reply

Your email address will not be published. Required fields are marked *