The Trick of Dynamic asset lists, and avoiding the trap
So someone asked me what seemed to be a simple question:
“Can I create an asset list of hosts that have a port responding between 100 and 200.” A perfectly reasonable question. The “off the cuff” response would be:
“Sure with the following rules:
- Port is greater than 100
- Port is less than 200
On its face it looks like it should do the job, but it doesn’t evaluate the way we’d think.
Take the following example, a host that has only port 80 and port 201 responding. This host, based upon the original requirements would not be in this asset list.
Now lets look how its evaluated:
- Does the host have a port open greater than 100? (Answer=TRUE, port 201)
- Does the host have a port open that is less than 200? (Answer=TRUE, port 80)
1 AND 2 are true, therefore we have fulfilled both requirements of the ALL clause, and therefore the host is placed in the list.
It’s a very tricky trap, something to watch for.
Source: Nessus and SecurityCenter