Hi Rich,
You said confuse but then said the scan was taking too long.
Are you just performing a port scan, or performing other checks
as well? Did any of you other computers have a web server on
them?
Looking at the Nessus log file for the scan could give you more
insight as to which plugins are running and taking long time.
And standard questions --
- Nessus 2 or Nessus 3?
- full port scan or partial?
- which port scanners are you using?
- are you scanning from a VM on a laptop?
- are you scanning through a firewall?
- is the machine you are scanning slow, underpowered, on a slow link, .etc?
Ron Gula
Tenable Network Security
Rich Whitcroft wrote:
> I launched a scan on a range and I'm curious as to why this one host
> seems to be confusing nessus_tcp_scanner. The rest of the hosts in the
> range finished in a few minutes, but this one's been going for over 35
> minutes (it just finished as I type this).
>
> I straced it to see what the hell it was doing, and I see this:
>
> [Actual IP replaced with a.b.c.d]
>
> [EMAIL PROTECTED]:~# pgrep -lf scanner
> 18178 nessusd: testing a.b.c.d
> (/opt/nessus/lib/nessus/plugins/nessus_tcp_scanner.nes)
>
> [EMAIL PROTECTED]:~# strace -etrace=connect -p 18178
> Process 18178 attached - interrupt to quit
> connect(6, {sa_family=AF_INET, sin_port=htons(9100),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(280),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(515),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(515),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(9100),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(280),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(280),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> Process 18178 detached
>
> You get the idea. The scanner seems infatuated with these few ports
> (9100, 80, 280, 515) and has been pounding on them for way too long.
>
> The host in question is a Mac, and is likely the only Mac in the range.
> Without getting into specifics on why this is annoying, I'd like to a)
> understand what's happening here and b) stop this from happening.
>
> Thanks!
> _______________________________________________
> Nessus mailing list
> [email protected]
> http://mail.nessus.org/mailman/listinfo/nessus
>
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
