1) I'm wondering what the best practices are for troubleshooting a scan.
For example, I have noticed people setting max_checks = 1. Is there a
good how-to or methodology that others are successfully using? I know I
can manually enable/disable plugins, but with so many plugins that seems
a bit old-school. Isn't there some debugging that show exactly what is
being executed at what time, etc?
With max_checks=1, the Nessus scanner won't execute more than one plugin
against a target host. This is useful if you are trying to debug which
plugin may be interacting with a target at a certain time, but not ideal.
Also, you didn't specify what you were trying to discover. Did Nessus miss
something? If you are not performing client side audits, using a sniffer
to how Nessus interacts with a host is very informative.
2) I would like to know exactly which plugins were executed against a
host. This is the immediate problem I need to solve. I enabled logging
and debugging, but I don't see all the plugins listed in the debug file
that ran. For example, the MS SQL Server Brute Force plugin ran, but no
output or information was found in the debug file.
I am always curious why Nessus users need this sort of information for
understanding the output of a scan, or perhaps to show management that
they indeed performed a full audit.
If a plugin didn't get logged, then it didn't run.
The MS SQL Brute Force plugin depends on Hydra and will immediately
exit if Hydra is not configured or available in the path.
If you want to test specific plugins and their settings, I suggest saving
the KB from a Nessus scan and then using the 'nasl' command line tool to
test them out as referenced in this blog entry:
http://blog.tenablesecurity.com/2007/06/using-the-nasl-.html
Ron Gula
Tenable Network Security
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
