Re: How to use Nessus 3.0.3 (Linux) with Nmap port scanning

[Douglas Nordwall]

On Sep 20, 2006, at 12:53 PM, Michel Arboi wrote: On Wed Sep 20 2006 at 18:33, Douglas Nordwall wrote: > Well, for me, the sheer configurability of it is the best part. Speed > isn't always what you are after, and just this morning, speed was the > enemy. We had a box that had countermeasures on it, and we had to > move slow to not trigger them. I didn't see an option for this on the > built in scanner. safe_checks && max_checks=1 gives the lowest speed. (! safe_checks) && max_checks>=5 gives the highest speed. While i know this to be true (although I was not aware that safe_checks slowed things down, I may have missed mention of it, but I don't remember seeing it), it does not offer the level of configurability I was looking for in this particular situation. I needed very slow scans (on the order of no more than 5 ports in 5 minutes) to bypass the countermeasures. > I also like the ability to control port scan randomization We may introduce some trick against *basic* portscan detection, but probably not randomization, because it might lead to erratic problems. Maybe ask Fyodor what they did to compensate for the problems you are concerned about? seems to work for nmap, unless the problems you foresee deal with some aspect that nmap doesn't cover. > and very fine grained control of the timing. Fine grained control is the enemy of adaptability. Maybe I did not find a single box with anti-portscan countermeasures, but I scanned many boxes on unreliable links or loaded networks. In such cases, the scanner has to slow down when it starts losing packets, and speed up later. nessus_tcp_scanner does this rather well; in fact much better than any other port scanner I tried. fair enough, and for your network that is fine. For my network, which I know fairly well, and have access to exactly what's happening on it, I can make those determinations in other ways. As I said, this was a particular circumstance that doesn't come up everyday, but I did need more control than out of the box nessus provided for. > Part of it, I imagine is because we really like nmap and there is a > mental "this is the best port scanner This sounds more like marketing than technique to me. No, It's not marketing. I don't think nmap needs any marketing from me, a nobody in the computer security world. I'm merely expressing the mindset that may be there for some folks. You might read it as "we've always done it this way and we don't like to change" or "we haven't seen an appreciable difference to change" or any number of things. I assure you though, anyone on this list probably already knows what nmap is, and it doesn't need to be marketed. Anyway, I do not see where the problem is. nmap.nasl has always been available, and the import function works fine and does not need to be updated everytime a new option pops up. Running Nmap from inside Nessus is definitely a bad idea, for reasons that are written on the web site. and I never said that it wasn't at least good to have there. Indeed, I'm glad the discussion came up, as it's important for people to know it's there, just to avoid headaches. You asked why people prefer to use nmap instead of the built in. I was trying to give you some feedback about how we operate that might be useful for Tenable. -- http://arboi.da.ru/                     http://ma75.blogspot.com/ PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91 Fingerprint: 1048 B09B EEAF 20AA F645  2E1A 1320 924F 0BBA BA91 Doug Nordwall Unix Administrator EMSL Computer and Network Support Unclassified Computer Security Phone: (509)372-6776; Fax: (509)376-0420 The best book on programming for the layman is "Alice in Wonderland"; but that's because it's the best book on anything for the layman.

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus