You mentioned CPU activity, but what about system load? My experience is that you *must* have enough memory to handle the scans in question in a timely fashion or the load will simply build until nessus fails.
I also use nessus from one scan box to handle both regular sweep scans and on-demand scanning. Both of these are handled in an automated fashion (an on-demand can be requested by a user which puts it into the queue). The ongoing scans represent a fairly well known overhead. Sure it varies, but not by too much. To prevent on-demand from overloading the system they are queued. We don't do that much on-demand scanning, though, and the maximal delay of one minute until the queue is read again hasn't been an issue. There's no indication of how many systems you are scanning in the week period or with what plugins enabled. We run two types of on-going scans: selected plugins and full safe scans. The full safe scans "float", but the limited scan hits about 8,000 computers every two days or so. Memory is the real telling point. When first deployed the system only had 512MB -- which was simply not enough in our environment. I managed to get a new machine with 2GB and it has run well for the last seven months. If I recall correctly our normal memory usage is about 1GB with peaks around 1.6GB. (Requesting beefy hardware can be a hard-sell with management, but I no longer get asked why the nessus scans have stopped...) Tim Doty -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ondrej Holecek Sent: Sunday, May 13, 2007 1:20 PM To: Ron Gula Cc: [email protected] Subject: Re: user priorities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi Ron, no, I run nessus on debian linux, and I cant see any mention about Windows in my previous post. thanks for link to blog.tenablesecurity.com, its very useful i've tried to play with max_checks and test time is much better now (10-15 minutes), but the maximal value I can use is 15 and in log there is max_checks (20) > MAX_PROCESSES (16) I think, that our computer could handle more processes without problem. is somehow possible to increase this value? nessus3 is closed source, so i can't recompile it. why continuos scan: our network is student network, the only firewall rule we use is blocking connections to port 25 outside. we have problems with insecure user computers attacked by worms, etc. generating unwanted (and illegal) traffic. with nessus we check all computers, ones a week, and if we find it has security hole, we automatically change user's vlan to more restrictive one (and send email to user to apply the security updates) oHo Ron Gula wrote: > Hi Ondrej, > > Several comments and ideas -- > > You mention you are running Nessus on Windows XP. I'm curious if you > could share how you scheduled your continuous scans. I'm wondering if > you are experiencing overlap between your continuous scans. > > With Windows XP, the performance of scans is not as good as Windows > servers (like 2003). If you can upgrade to 2003 or Linux, you should > get better performance. More memory may help, but the Windows XP OS is > limiting you some. > > Perhaps you could lower the sampling of your continuous scans? Maybe > add an hour wait state between scans? > > Perhaps your check per hosts or hosts to scan at the same time could > be tweaked. When playing with these variables, I like to maximize > checks per host but put hosts per scan at like 1 or 2. This lets me > see how hard the Nessus scanner works scanning one host. > > The delay between logging into Nessus and starting the scan of 1 > minute (especially during another scan) is expected. > > You are correct in your understanding of the 'optimize_test' setting. > You should also enable 'safe_checks' as well: > http://blog.tenablesecurity.com/2006/09/understanding_t.html > > I'm not sure what your organization's goals of a continuous scan are. > If you want to discover new hosts, you don't need a full vulnerability > scan for this. Other ideas you might look into: > > - The 'optimizing Nessus scan speed' blog entry > http://blog.tenablesecurity.com/2007/01/optimizing_ente.html > > - You may also want to consider passive products like our Passive > Vulnerability Scanner that monitor network traffic. > > Ron Gula, CTO > Tenable Network Security > http://www.tenablesecurity.com > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRkdW07+9cGMV5qZXAQJnMQf/Qh5jgVscDLgWsmNpjLc2D162AyNvaWzY Ay0wwVYJptEwtnduIoMnHzeOQJTKcA5SgvaR/s0IqUg21V5xM5tWzFx1+BwhwmaP yd/iPGBDLi1pMFuw9t8L7WHlRqMNA1Q+ncYNc7EI4xvNISQDNd5NoXDeUFComyai wYWOoS4UN6eg0Bi0ITz8n/boTS3ZsuNSFAb6JNetAllrqoNHOnJx54HakKFHLANj lL5RFil7ijQZD97uV7XVUsLeU6fN7BGL4FGUMNk9L6Gx366vu/dWO9suoqvXWsgL y8Vff0h1KasI6HA3SFFmQ8yferj+E2CR+UghWWWjdI4UwQogmPkIbg== =kn5q -----END PGP SIGNATURE----- _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
