On Thu Sep 21 2006 at 15:57, Douglas Nordwall wrote: > While i know this to be true (although I was not aware that > safe_checks slowed things down, I may have missed mention of it, but > I don't remember seeing it)
nessus_tcp_scanner computes two parameters: min_cnx = 8 * MAX(max_checks, 5); if (safe_checks) max_cnx = 24 * MAX(max_checks, 5); else max_cnx = 80 * MAX(max_checks, 5); Those basic values may be lowered if the machine is loaded or short of file descriptors. min_cnx is used to initialize open_sock_max which is the number of open parallel connections: open_sock_max = min_cnx / (pass + 1); open_sock_max is then adjusted during the scan; it never goes higher than max_cnx. The number of probes per second is *never* adjusted. But you can estimate it from open_sock_max and the RTT (roughly < open_sock_max / rtt) For example, if you set max_checs to 5 and safe_checks: min_cnx=40; max_cnx = 120; During the first pass, nessus_tcp_scanner will first try to open 40 sockets at once. If the target answers well, the number of parallel connections will increase but never go above 120. If there is a second pass, nessus_tcp_scanner will first open 20 sockets at once ... On the beginning of the tenth pass (definitely a problem with the target), it will open 4 sockets at once. > I needed very slow scans (on the order of no more than 5 ports in 5 > minutes) to bypass the countermeasures. This means that you'll need 65535 min = 1092.25 h = 45.5 days to run a full port scan. Is this acceptable? I don't think so. > Maybe ask Fyodor what they did to compensate for the problems you are > concerned about? nmap randomizes the port numbers by default. We suspect that this defeats crude countermeasures. > fair enough, and for your network that is fine. I nearly never scan *my* network. My experience comes from different networks on my customers' sites. Many of them are a mix of quick LAN, overloaded links or routers, slow leased lines or high latency satellite based WAN. Scans often runs more than a day and the network load is concentrated during the working hours (or at least, the nature of the trafic changes in the evening). That's why I needed an adaptative tool! It would be great if this scanner could also suit your needs, but I am afraid that your requirements are too strict. > I know fairly well, and have access to exactly what's happening on > it, I can make those determinations in other ways. Maybe Nessus SYN scanner would be better for you? It is slower but its behaviour is more regular, IIRC. > You asked why people prefer to use nmap instead of the built in. I see. I am still surprised by your figures. -- http://arboi.da.ru/ http://ma75.blogspot.com/ PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91 Fingerprint: 1048 B09B EEAF 20AA F645 2E1A 1320 924F 0BBA BA91 _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
