On Thu Sep 21 2006 at 15:57, Douglas Nordwall wrote:
While i know this to be true (although I was not aware that
safe_checks slowed things down, I may have missed mention of it, but
I don't remember seeing it)
nessus_tcp_scanner computes two parameters:
min_cnx = 8 * MAX(max_checks, 5);
if (safe_checks) max_cnx = 24 * MAX(max_checks, 5);
else max_cnx = 80 * MAX(max_checks, 5);
Those basic values may be lowered if the machine is loaded or short of
file descriptors.
min_cnx is used to initialize open_sock_max which is the number of
open parallel connections: open_sock_max = min_cnx / (pass + 1);
open_sock_max is then adjusted during the scan; it never goes higher
than max_cnx.
The number of probes per second is *never* adjusted. But you can
estimate it from open_sock_max and the RTT (roughly < open_sock_max / rtt)
For example, if you set max_checs to 5 and safe_checks:
min_cnx=40; max_cnx = 120;
During the first pass, nessus_tcp_scanner will first try to open 40
sockets at once. If the target answers well, the number of parallel
connections will increase but never go above 120.
If there is a second pass, nessus_tcp_scanner will first open 20
sockets at once
...
On the beginning of the tenth pass (definitely a problem with the
target), it will open 4 sockets at once.
I needed very slow scans (on the order of no more than 5 ports in 5
minutes) to bypass the countermeasures.
This means that you'll need 65535 min = 1092.25 h = 45.5 days to run a
full port scan. Is this acceptable? I don't think so.
Maybe ask Fyodor what they did to compensate for the problems you are
concerned about?
nmap randomizes the port numbers by default. We suspect that this
defeats crude countermeasures.
fair enough, and for your network that is fine.
I nearly never scan *my* network. My experience comes from different
networks on my customers' sites. Many of them are a mix of quick LAN,
overloaded links or routers, slow leased lines or high latency
satellite based WAN. Scans often runs more than a day and the network
load is concentrated during the working hours (or at least, the nature
of the trafic changes in the evening). That's why I needed an
adaptative tool!
It would be great if this scanner could also suit your needs, but I
am afraid that your requirements are too strict.
I know fairly well, and have access to exactly what's happening on
it, I can make those determinations in other ways.
Maybe Nessus SYN scanner would be better for you? It is slower but
its behaviour is more regular, IIRC.
You asked why people prefer to use nmap instead of the built in.
I see. I am still surprised by your figures.
--
http://arboi.da.ru/ http://ma75.blogspot.com/
PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91
Fingerprint: 1048 B09B EEAF 20AA F645 2E1A 1320 924F 0BBA BA91
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
