Hello,
I'm running a Nessus v3.2.1 server on Windows 2003 Server and using the
NessConnect v1.0.1 client.
I'm noticing that when I specify particularly long lists of IP's to scan or any
sizable CIDR's, it will stop scanning after somewhere around 300-400 hosts.
The logs don't indicate any problems and indicate the scan finished normally.
As an example, I ran a scan last night on 192.168.0.0/16. The scan ran for 1
hr 56 mins but only finished hosts 192.168.0.1 - 192.168.1.208; hosts 209-212
were initiated but never completed. I was only scanning w/ 2 plugins (Ping the
remote host [ARP/TCP/ICMP] & SYN Scan).
The server.log shows:
[Tue Aug 12 16:46:14 2008][2636] 23117 plugins loaded
[Tue Aug 12 16:46:15 2008][2636] Nessus Service started
[Tue Aug 12 16:47:40 2008][2636] Successful login of rdrake from 10.10.1.84
[Tue Aug 12 17:01:03 2008][2636] user rdrake starts a new scan. Target(s) :
192.168.0.0/16, with max_hosts = 10, max_checks = 5 and safe_checks = yes
[Tue Aug 12 18:57:55 2008][2636] user rdrake : test of 192.168.0.0/16 completed
The last 25 lines of the scan.log show:
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.196. Time : 148.639
secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.198. Time : 147.983
secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.195. Time : 148.514
secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Scan 192.168.1.201 using 2 plugins
[Tue Aug 12 18:55:21 2008][2444] user rdrake : testing 192.168.1.203
(192.168.1.203) [2444]
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.205
(192.168.1.205) [2444]
[Tue Aug 12 18:55:22 2008][2444] Finished testing 192.168.1.197. Time : 149.124
secs, 16 plugins launched
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.207
(192.168.1.207) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.204 using 2 plugins
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.206
(192.168.1.206) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.203 using 2 plugins
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.208
(192.168.1.208) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.207 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.205 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.208 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.206 using 2 plugins
[Tue Aug 12 18:57:04 2008][2444] Finished testing 192.168.1.199. Time : 237.779
secs, 16 plugins launched
[Tue Aug 12 18:57:04 2008][2444] user rdrake : testing 192.168.1.209
(192.168.1.209) [2444]
[Tue Aug 12 18:57:04 2008][2444] Scan 192.168.1.209 using 2 plugins
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.202. Time : 150.155
secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.204. Time : 150.155
secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.200. Time : 150.717
secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.210
(192.168.1.210) [2444]
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.212
(192.168.1.212) [2444]
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.211
(192.168.1.211) [2444]
When I look at the Application Event log I see this arounnd the same time as
the last entry:
Source: DrWatson
Event ID: 4097
The application, C:\Program Files\Tenable\Nessus\scan.exe, generated an
application error The error occurred on 08/12/2008 @ 18:57:55.089 The exception
generated was c0000005 at address 7C81BD02
(ntdll!ExpInterlockedPopEntrySListFault)
What's causing the scan to just die? This has been rather frustrating and
prevents me from making practical use of Nessus for scanning my network.
Thanks,
RD
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
