I had problems with maxing out my nessus log file and hanging the whole
scan when scanning class B networks. Make sure "log the whole attack"
is turned off.
________________________________
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of sanjeev sinha
Sent: Monday, May 23, 2005 8:33 AM
To: Chad McDonald; nessus@list.nessus.org
Subject: Re: Scanning 65K ports on 45 subnets
Generally when doing security scans of such a large magnitude, I try to
determine if all the hosts on these subnets are:
a. listening at all or not
b. which are important hosts (like servers etc.)
c. which are internet facing hosts
d. is nmap scanning really necessary (if you are specifying that option
in your plugin selection)? I would first try to determine what service
and transactional ports you may have open on these hosts by targeting
them in an initial nmap scan instead of targeting the entire range as
this is what can make you grow old when trying to scan a class B
network.
The fine and very knowledgable people here may have more to add to my
list of things to do.
If you think about it, even if your scan was running at a fast and the
furious pace, you would have a huge output which could take just as
long, if not longer, to sift through and analyze. You may want to
revisit the 65k port option and even then try to determine which hosts
to scan and which ones to leave out as you may have devices like
printers etc. that may have one of those ip addresses and which can be
negated by a rule for file and print sharing. To illustrate this fact,
just try to scan a subnet with nmap on all 65k ports and see how long it
takes you. That may change your mind. Of course, all this is immaterial
if you have an anal boss who wants to have this done, in which case, I
would just bite the bullet and do it.
SS
----- Original Message -----
From: Chad McDonald <mailto:chad.mcdonald@gcsu.edu>
To: nessus@list.nessus.org
Sent: Monday, May 23, 2005 8:00 AM
Subject: Scanning 65K ports on 45 subnets
I have Nessus running on 5 different machines, all running Suse
9.1. I have adjusted the following scan options:
Port range to all 65K+
Number of hosts to test at the same time = 10
Number of checks to perform at the same time = 5
Optimize the test = enabled
Prefs:
Simultaneous connections = 10
Network connection timeout = 2
Network Read/write timeout = 2
Wrapped service read timeout = 2
These 5 boxes range from P2 400mhz to P4 2.6ghz. When I attempt
to scan even 1 subnet with each box, the scan time is ridiculous to the
point of making the results useless (typically 2 or 3 days, if it
completes at all.) Given that I have 45 class b subnets to scan, do any
of you have any suggestions for remedying this problem? I have seen
other posts on this list where users are scanning with relatively low
powered machines, and are not having the speed issues that I am. As an
added note, scanning from my OS X laptop I can scan one subnet in about
2 hours with the same settings.
Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
478.445.4473 Office
478.454.8250 Cell
478.445.1202 Fax
________________________________
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
