Hi Pierre-Arnauld, Your interpretation is correct and the log verifies your conclusion. With the Internet Scanner console, the events that populate the status window come in based on when the console gets the init event from the sensor, which is not in sync necessarily with when the check was completed. The zonexfer check started at 12:25:20 in the log and the GUI mirrors that, but the GUI makes it appear that the time between the start of zonexfer (implied to be run sequentially by the way the GUI lists the checks) and WeblogicBannerEnabled is almost 30 minutes long. Basing off of the console events, it would be easy to conclude the zonexfer check was taking the time indicated between checks. It looks as if the reason WeblogicBannerEnabled is taking so long itself is due to the dependancy in the check to do some pretty hefty port scanning, which is a time consumer. Since DCA will not strip this check off, it will run against Windows 2003. You may be able to cut down the time on this check by reducing the timeouts to maybe half (1000). The thought of the zonexfer check taking 30 minutes just didn't add up and I questioned it along with you. The status window in the console as far as check status events are concerned could be somewhat equated to the dashboard on a car, as a close as possible indication to what is going on from a chosen perspective. Any time that there is question regarding something like this, you can usually get to the bottom of it in the sensor log. Happy scanning!
Pierre-Arnauld Lecoeuvre <[EMAIL PROTECTED]> wrote: The target server is not running a DNS, so, and as you said, the scanner is probably waiting for some timout. The last you mentionened regarding the display of status on the Internet Scanner GUI is interesting. Some latency can be occured, and here is a screenshot of my GUI : (Embedded image moved to file: pic08723.jpg) According to this GUI, zonexfer take around 28 minutes, and checks on WebLogic is very fast. But in our policy, we are scanning a wide range of TCP port for this WebLogic check. So I have disable this check (in fact I only restore default settings). And the scan ran much faster. The GUI (and its interpretation) puts me in error. In fact the "zonexfer" doesn't take 28 minutes, but it's all other WebLogic checks which are taking lot of time. Here is what I have found on log file : # Time Stamp(0x690):172.16.132.137 ZoneXferCheck: (1118744719) Tue Jun 14 12:25:19 # 172.16.132.137 zonexfer could not connect msecs='0'/> 2005-06-14 12:25:20.000', MaxAccess='10' mins='33' secs='33' msecs='735'/> # Time Stamp(0x654): 172.16.132.137: (1118746413) 2005-06-14 12:53:33.000 # Started the WeblogicBannerEnabled check... You can see it's WebLogic is taking 33 minutes and not zonexfer. Then I have re-scan the same server, with default check for WebLogic, and it takes around 30 minutes. Please correct me if my interpretation is wrong. Many thanks for your help. ------------------------------------------------- Pierre-Arnauld Lecoeuvre. DEV/IIS/OAU/NET Phone : +33 (0)4.97.23.09.62 ------------------------------------------------- To Pierre-Arnauld Lecoeuvre cc [email protected] Woah Down Subject Re: [ISSForum] : checking zonexfer 15/06/2005 16:35 takes more than 30 minutes Yeah, that doesn't surprise me that it does. With that being the case, that is why it is being run on all platforms through DCA and not screened off. We'd have to assume that it is intended to run regardless of platform based on that information, which does bring Windows 2003 back into the equation. The next issue becomes the fact that you've confirmed that you aren't running a DNS server on that machine. Since it is not there, the check should time out in or around the same time that it would take if it were a foundvuln condition. I went ahead and did a sanity check on what you are experiencing, and here's what I see running the check singly to isolate off most everything that could be running in parallel with the check (meaning other checks) thus taking away resource sharing issues: For a host that is vulnerable (a Red Hat Linux box), the check ran in about 1 sec or less: # Time Stamp(0x5f0):xxx.xxx.xxx.xxx ZoneXferCheck: (1118845023) Wed Jun 15 10:17:03 xxx.xxx.xxx.xxx: zonexfer vulnerable 2005-06-15 10:17:03.000 <-- Next timestamp ****** For a host that was not vulnerable similar to yours (a Windows 2003 Server box) the check ran in about 6 seconds: # Time Stamp(0x660):xxx.xxx.xxx.xxx ZoneXferCheck: (1118845382) Wed Jun 15 10:23:02 # xxx.xxx.xxx.xxx zonexfer could not connect 2005-06-15 10:23:08.000 <-- Next timestamp ****** You might want to try running the check all by itself and see if it continues to take so long on it. If you can send the log snippet like you did before, snip it below all of those check group numbers after the check: I'm not sure what those are, but I'd like to see the timestamp directly under them. If you run the check singly and it is still as slow, it strips off the case where there is more going on due to it being a L5 Server policy it is coming out of. Pierre-Arnauld Lecoeuvre wrote: Hello, According to the description in the Policy Editor, here are the platforms : Plat IRIX: Any version, HP-UX: Any form version, BSD: Any version, Linux: s: Any version, Solaris: Any version, DG/UX: Any version, Windows: 95, OS/2: Any version, Windows NT: 4.0, Compaq Tru64 UNIX: Any version, Windows: Me, Cisco IOS: Any version, SCO Unix: Any version, Windows: 98, Novell NetWare: Any version, Windows: 98 Second Edition, Windows 2000: Any version, AIX: Any version, Mac OS: Any version, Windows: XP, Windows 2003: Any version My win2k3 is not running any DNS service, and the nslookup command answers quickly. On the log file, here is occurence with zonexfer : # Time Stamp(0x690):172.16.132.137 ZoneXferCheck: (1118744719) Tue Jun 14 12:25:19 # 172.16.132.137 zonexfer could not connect And I see the same thing in the GUI. The next entry has its time stamp at 12h53 The entire scan takes 1h40. Thanks. Regards. ------------------------------------------------- Pierre-Arnauld Lecoeuvre. DEV/IIS/OAU/NET Phone : +33 (0)4.97.23.09.62 ------------------------------------------------- To Pierre-Arnauld Lecoeuvre , [email protected] cc Woah Down Subject 14/06/2005 15:17 Re: [ISSForum] : checking zonexfer takes more than 30 minutes Pierre-Arnauld, I would lean to the tendency that this is somewhat normal. If your target is a Windows 2003 machine, it is likely that this check is not expecting what it is dealing with on that OS type. I say this because this is a UNIX check. The affected platforms for this check are: IRIX: Any version, HP-UX: Any version, BSD: Any version, Linux: Any version, Solaris If your 2003 server is running DNS, it is possible that it is still trying to run, but it is a check that if not screened off by Dynamic Check Assignment, should be opted out on this target for your scan. You can run it anyway, and the check may time out and the scan complete, but if the check is not intended for the OS it is being run on, times can vary due to this reason. Take a look at you scan log for this scan parsing it for this check and see what it is reporting back in the form of progress when this happens. The other point to note is that although the GUI may be indicating that a check is being run, it does not mean that the check is being run singly. Other variables in the scan may be taking place, which can cause the overall time to increment. How long did the entire L5 Server scan take? Pierre-Arnauld Lecoeuvre wrote: Hello everyone, I am scanning one server with a L5 Server policy with a Internet Scanner 7.0 SP2 (XPU level 5). The target server is a windows 2k3. Can anyone tell me if this is normal to have this check (zonexfer) running more than 30 minutes ? Thanks in advance for your help. Regards. ------------------------------------------------- Pierre-Arnauld Lecoeuvre. DEV/IIS/OAU/NET Phone : +33 (0)4.97.23.09.62 ------------------------------------------------- _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. Do you Yahoo!? Yahoo! Mail - You care about security. So do we. Discover Yahoo! Find restaurants, movies, travel & more fun for the weekend. Check it out! --------------------------------- Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
