nessus_tcp_scanner.nes slowness

Fri, 05 Dec 2008 10:23:46 -0800 

I launched a scan on a range and I'm curious as to why this one host 
seems to be confusing nessus_tcp_scanner. The rest of the hosts in the 
range finished in a few minutes, but this one's been going for over 35 
minutes (it just finished as I type this).

I straced it to see what the hell it was doing, and I see this:

[Actual IP replaced with a.b.c.d]

  [EMAIL PROTECTED]:~# pgrep -lf scanner
  18178 nessusd: testing a.b.c.d 
(/opt/nessus/lib/nessus/plugins/nessus_tcp_scanner.nes)

  [EMAIL PROTECTED]:~# strace -etrace=connect -p 18178
  Process 18178 attached - interrupt to quit
  connect(6, {sa_family=AF_INET, sin_port=htons(9100), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(80), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(280), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(515), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(80), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(80), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(80), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(515), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(9100), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(280), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  connect(6, {sa_family=AF_INET, sin_port=htons(280), 
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
  Process 18178 detached

You get the idea. The scanner seems infatuated with these few ports 
(9100, 80, 280, 515) and has been pounding on them for way too long.

The host in question is a Mac, and is likely the only Mac in the range. 
Without getting into specifics on why this is annoying, I'd like to a) 
understand what's happening here and b) stop this from happening.

Thanks!
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus

Reply via email to