Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Nessus out of memory/server crash

from [Doty, Timothy T.] Network Security [Permanent Link]
Subject: RE: Nessus out of memory/server crash
Date: Fri, 10 Aug 2007 11:49:11 -0500 
That is definitely on my list of things to do and I'll catch up on the
release notes now. I'm actually itching for 3.1, but it is still in beta. I
do wonder about it not being a problem until about 10 days ago though.

Tim Doty

-----Original Message-----
From: Ron Gula [mailto:rgula@tenablesecurity.com] 
Sent: Friday, August 10, 2007 11:37 AM
To: Doty, Timothy T.
Cc: nessus@list.nessus.org
Subject: Re: Nessus out of memory/server crash

Hi Tim,

I suggest upgrading to 3.0.6. There were several known memory issues fixed
in this release, as well as in 3.0.4 and 3.0.5. You can read release notes
in the news section here: http://www.nessus.org/news/

Glad to see you are using tarpits. I think honeypots and generally trying to
deceive an attacker with fake hosts (as compared to trying to masquerade
real hosts) is a good thing.
http://blog.tenablesecurity.com/2006/09/using_honeypots.html

Ron Gula, CTO
Tenable Network Security


Doty, Timothy T. wrote:

I've been running nessus against systems on our network in a fairly 
stable state for almost a year now and am now experiencing problems 
the most obvious manifestation of which is the out of memory errors. 
Checking nessusd.dump shows messages like:

[26618] internal_send->select (4) timed out after 60 secs (overloaded 
CPU ?) [25645] internal_send->select (4) timed out after 60 secs 
(overloaded CPU ?) [25675] internal_send->select (4) timed out after 
60 secs (overloaded CPU ?) [26455] internal_send->select (4) timed out 
after 60 secs (overloaded CPU ?) [4296] os_send(10) failed -- Broken 
pipe [4296] internal_recv_n(10): Error in the middle of a message : 
Broken pipe
(type=262144)
[26839] os_send(8) failed -- Broken pipe [26839] internal_recv_n(8): 
Error in the middle of a message : Broken pipe
(type=262144)
[4296] os_send(10) failed -- Broken pipe [4296] internal_recv_n(10): 
Error in the middle of a message : Broken pipe
(type=262144)
[9500](linpha_order_sql_injection.nasl:0x9dd) Unknown escape sequence '\.'
[9500](linpha_order_sql_injection.nasl:0x9dd) Unknown escape sequence '\.'
[9500](linpha_order_sql_injection.nasl:0x9dd) Unknown escape sequence '\.'

Our server is a 3 GHz Xeon with 2GB of memory. As noted it has been 
running with the current configuration for nearly a year. Historically 
it has run with a load averaging out to around 5 with minimal CPU 
usage (the CPU is normally waiting on the network). Currently it 
quickly escalates until there are so many scan processes that it dies.

Redhat enterprise 4 (I believe), nessus 3.0.3 (I haven't had time to 
deal with getting it upgraded). There isn't much else on the box -- it 
is dedicated to the task of network scanning. It does run nmap as 
well, but there is almost no overhead due to nmap. Everything is 
logged in oracle so there is the overhead of talking to our oracle server.

I believe our server group recently applied security patches to the 
system, but I haven't seen any reference to such impacting nessus.

We do use tarpits interspersed throughout our IP address space, but I 
was just able to verify that nessus is in fact skipping those (they 
are in an exclusion list). It does seem to be taking an inordinate 
amount of time (around 11 minutes each) scanning unused IP addresses.

Any thoughts on what could be wrong or to check next?

I do want to upgrade nessus, but will most likely have to wait until 
the semester is well under way to have any time for that.

Tim Doty


----------------------------------------------------------------------
--

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Nessus out of memory/server crash, Ron Gula
Next by Date:  Re: force slackware plugins, Michel Arboi
Previous by Thread:  Re: Nessus out of memory/server crash, Ron Gula
Next by Thread:  Converting nbe to xml error, Jason
Indexes:  [Date] [Thread] [Top] [All Lists]