Yeah, that doesn't surprise me that it does. With that being the case, that is why it is being run on all platforms through DCA and not screened off. We'd have to assume that it is intended to run regardless of platform based on that information, which does bring Windows 2003 back into the equation. The next issue becomes the fact that you've confirmed that you aren't running a DNS server on that machine. Since it is not there, the check should time out in or around the same time that it would take if it were a foundvuln condition. I went ahead and did a sanity check on what you are experiencing, and here's what I see running the check singly to isolate off most everything that could be running in parallel with the check (meaning other checks) thus taking away resource sharing issues: For a host that is vulnerable (a Red Hat Linux box), the check ran in about 1 sec or less: # Time Stamp(0x5f0):xxx.xxx.xxx.xxx ZoneXferCheck: (1118845023) Wed Jun 15 10:17:03 xxx.xxx.xxx.xxx: zonexfer vulnerable 2005-06-15 10:17:03.000 <-- Next timestamp ****** For a host that was not vulnerable similar to yours (a Windows 2003 Server box) the check ran in about 6 seconds: # Time Stamp(0x660):xxx.xxx.xxx.xxx ZoneXferCheck: (1118845382) Wed Jun 15 10:23:02 # xxx.xxx.xxx.xxx zonexfer could not connect 2005-06-15 10:23:08.000 <-- Next timestamp ****** You might want to try running the check all by itself and see if it continues to take so long on it. If you can send the log snippet like you did before, snip it below all of those check group numbers after the check: <Elapsed-Time check-group-number='4165' host='xxx.xxx.xxx.xxx' msecs='0'/> I'm not sure what those are, but I'd like to see the timestamp directly under them. If you run the check singly and it is still as slow, it strips off the case where there is more going on due to it being a L5 Server policy it is coming out of.
Pierre-Arnauld Lecoeuvre <[EMAIL PROTECTED]> wrote: Hello, According to the description in the Policy Editor, here are the platforms : Plat IRIX: Any version, HP-UX: Any form version, BSD: Any version, Linux: s: Any version, Solaris: Any version, DG/UX: Any version, Windows: 95, OS/2: Any version, Windows NT: 4.0, Compaq Tru64 UNIX: Any version, Windows: Me, Cisco IOS: Any version, SCO Unix: Any version, Windows: 98, Novell NetWare: Any version, Windows: 98 Second Edition, Windows 2000: Any version, AIX: Any version, Mac OS: Any version, Windows: XP, Windows 2003: Any version My win2k3 is not running any DNS service, and the nslookup command answers quickly. On the log file, here is occurence with zonexfer : # Time Stamp(0x690):172.16.132.137 ZoneXferCheck: (1118744719) Tue Jun 14 12:25:19 # 172.16.132.137 zonexfer could not connect And I see the same thing in the GUI. The next entry has its time stamp at 12h53 The entire scan takes 1h40. Thanks. Regards. ------------------------------------------------- Pierre-Arnauld Lecoeuvre. DEV/IIS/OAU/NET Phone : +33 (0)4.97.23.09.62 ------------------------------------------------- To Pierre-Arnauld Lecoeuvre , [email protected] cc Woah Down Subject 14/06/2005 15:17 Re: [ISSForum] : checking zonexfer takes more than 30 minutes Pierre-Arnauld, I would lean to the tendency that this is somewhat normal. If your target is a Windows 2003 machine, it is likely that this check is not expecting what it is dealing with on that OS type. I say this because this is a UNIX check. The affected platforms for this check are: IRIX: Any version, HP-UX: Any version, BSD: Any version, Linux: Any version, Solaris If your 2003 server is running DNS, it is possible that it is still trying to run, but it is a check that if not screened off by Dynamic Check Assignment, should be opted out on this target for your scan. You can run it anyway, and the check may time out and the scan complete, but if the check is not intended for the OS it is being run on, times can vary due to this reason. Take a look at you scan log for this scan parsing it for this check and see what it is reporting back in the form of progress when this happens. The other point to note is that although the GUI may be indicating that a check is being run, it does not mean that the check is being run singly. Other variables in the scan may be taking place, which can cause the overall time to increment. How long did the entire L5 Server scan take? Pierre-Arnauld Lecoeuvre wrote: Hello everyone, I am scanning one server with a L5 Server policy with a Internet Scanner 7.0 SP2 (XPU level 5). The target server is a windows 2k3. Can anyone tell me if this is normal to have this check (zonexfer) running more than 30 minutes ? Thanks in advance for your help. Regards. ------------------------------------------------- Pierre-Arnauld Lecoeuvre. DEV/IIS/OAU/NET Phone : +33 (0)4.97.23.09.62 ------------------------------------------------- _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. Do you Yahoo!? Yahoo! Mail - You care about security. So do we. --------------------------------- Discover Yahoo! Find restaurants, movies, travel & more fun for the weekend. Check it out! _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
