Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Nessus performance on Linux

from [Doug Nordwall] Network Security [Permanent Link]
Subject: Re: Nessus performance on Linux
Date: Thu, 9 Aug 2007 08:48:38 -0700 
On 8/9/07, Richard van den Berg <richard@vdberg.org> wrote:


I'm running nessus 3.0.5 on Debian 4.0 with a 2.6.18 kernel. The
hardware is a Pentium 4M 2.2 GHz with 1GB of RAM. I'm using nessj on
another system to connect to this nessus scan engine.

max_checks and max_hosts are both set to 2.



this will make scanning even one machine pretty slow. 2 checks at a time :)


I've enabled all plugins

except DoS and safe_checks are off. I use nmap for port scanning, and
the results are loaded from a gnmap file.



while totally unscientific (otherwise known as in my experience), I've seen
nmap run via nessus be more resource intensive than the built in tcp
scanner. Understandable too, because nmap is
super-fatanstic-swiss-army-knife-of-network-awesomeness. It can be a bit
overkill for "generic" scanning though :)

Occasionally the scanning system becomes very unresponsive, system load

shoots up to around 10 and the CPU is at 0% idle. Today is especially
bad with the system spending hours with continuously 60% of CPU time
spent on "system" with peaks of 80%. If I "kill -STOP" the nessus
processes, the system goes back to 99% idle. Only 800MB of RAM is used,
and no swapping occurs.



It's not uncommon for me to see my system load during a scan be over 30.
During parts of my scan (I have not actually sat down and figured out if it
was the port scan or the vuln checks). My scanning system also can get
pretty beat up by this, but it's an older box.

This causes nessus to take hours to scan a single host with only a few

open ports. Tcpdump shows that the hosts are still being scanned, but at
a very slow rate.



does the host have any countermeasures on it? firewall with drop rules or
IPS? A very slow rate in my experience usually points to it not getting
responses back from the host.

Try tailing (tail -f) your nessusd.messages and nessusd.dump files and see
what portion of the scan it's at. You can also figure out some of this with
an ps -efwww


What could be the reason that my system is spending so much time on

kernel processes? Is there any tuning I can do to prevent this from
happening?




Sincerely,


Richard van den Berg
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus





-- 
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott Stone,
on MMORPGs

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: force slackware plugins, Doug Nordwall
Next by Date:  Re: Nessus performance on Linux, Ron Gula
Previous by Thread:  Nessus performance on Linux, Richard van den Berg
Next by Thread:  Re: Nessus performance on Linux, Richard van den Berg
Indexes:  [Date] [Thread] [Top] [All Lists]